U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Secure Software Development, Security, and Operations (DevSecOps) Practices

DevSecOps brings together secure software development and operations to shorten development cycles, allow organizations to be agile, and maintain the pace of innovation while taking advantage of cloud-native technology and security practices.

This project is intended to help organizations improve security at all stages of the software development life cycle using commercial, off-the-shelf technologies, AI capabilities, as well as applying zero trust principles and methodologies.

The NCCoE intends to demonstrate applied, risk-based approaches and recommendations for Secure Software DevSecOps Practices consistent with the NIST Secure Software Development Framework (SSDF) (NIST SP 800-218).
Status: Reviewing Comments

The NCCoE has released a live document as part of its Secure Software DevSecOps project. This release provides several components of the project demonstration, including an Executive Summary and Introduction, a draft of the notional reference model, details on the first example implementation, and information about project collaborators and their contributions. 

The public comment period for the publication has closed. We are currently reviewing the comments received. 

DevSecOps Practices Live DocumentWeb Version DevSecOps Practices Live Document

Project Abstract

The project focuses initially on developing and documenting an applied, risk-based approach and recommendations for secure DevOps practices consistent with the Secure Software Development Framework (SSDF). DevSecOps helps ensure that security is addressed as part of all DevOps practices by integrating security practices and automatically generating security and compliance artifacts throughout the process, including software development, builds, packaging, distribution, and deployment. This project applies these DevSecOps practices in proof-of-concept use case scenarios.

This project will result in a freely available NIST Cybersecurity Practice Guide.

The project produces practical and actionable guidelines that meaningfully integrate security practices into development methodologies. Organizations could then apply the guidelines when choosing and implementing DevSecOps practices to improve the security of the software they develop and operate.

Collaborating Vendors

Organizations participating in the Software Supply Chain and DevOps Security Practices consortium submitted their capabilities in response to an open call in the Federal Register for all sources of relevant security capabilities from academia and industry (vendors and integrators). The following respondents with relevant capabilities or product components (identified as “Technology Partners/Collaborators” herein) signed a Cooperative Research and Development Agreement to collaborate with NIST in a consortium to build this example solution.

Join the Community of Interest

Employee speaking on video call with colleagues on online briefing with laptop at home

A Community of Interest (COI) is a group of professionals and advisors who share business insights, technical expertise, challenges, and perspectives to guide NCCoE projects. COIs often include experts, innovators, and everyday users of cybersecurity and privacy technologies. Share your expertise and consider becoming a member of this project's COI. 

Tell us about yourself