Software Supply Chain and DevOps Security Practices

DevOps brings together software development and operations to shorten development cycles, allow organizations to be agile, and maintain the pace of innovation while taking advantage of cloud-native technology and practices. Industry and government have fully embraced and are rapidly implementing these practices to develop and deploy software in operational environments, often without a full understanding and consideration of security.

This project is intended to help enable organizations to maintain the velocity and volume of software delivery in a cloud-native way and take advantage of automated tools

The NCCoE intends to demonstrate DevSecOps practices that would apply to organizations of all sizes and from all sectors, and to development for information technology (IT), operational technology (OT), Internet of Things (IoT), and other technology types.
Status: Reviewing Comments

The public comment period has closed for the draft Project Description, Software Supply Chain and DevOps Security Practices: Implementing a Risk-Based Approach to DevSecOps. Thank you to everyone who shared their feedback with us. We are currently reviewing the comments received as work continues on the implementation of the demonstration and development of other sections of the publication. 

To help improve the security of DevOps practices, the NCCoE is planning a DevSecOps project that will focus initially on developing and documenting an applied risk-based approach and recommendations for secure DevOps and software supply chain practices consistent with the Secure Software Development Framework (SSDF), Cybersecurity Supply Chain Risk Management (C-SCRM), and other NIST, government, and industry guidance. DevSecOps helps ensure that security is addressed as part of all DevOps practices by integrating security practices and automatically generating security and compliance artifacts throughout the process, including software development, builds, packaging, distribution, and deployment.

This project will apply these DevSecOps practices in proof-of-concept use case scenarios that will each be specific to a technology, programming language, and industry sector. Both commercial and open source technology will be used to demonstrate the use cases. Also, as part of this project, NIST will bring together and normalize content on DevSecOps practices from existing guidance and practices publications.

This project will result in a freely available NIST Cybersecurity Practice Guide.

The project will produce practical and actionable guidelines that meaningfully integrate security practices into development methodologies. Organizations could then apply the guidelines when choosing and implementing DevSecOps practices to improve the security of the software they develop and operate.

Join the Community of Interest

Employee speaking on video call with colleagues on online briefing with laptop at home

A Community of Interest (COI) is a group of professionals and advisors who share business insights, technical expertise, challenges, and perspectives to guide NCCoE projects. COIs often include experts, innovators, and everyday users of cybersecurity and privacy technologies. Share your expertise and consider becoming a member of this project's COI. 

Tell us about yourself

First & Last Name