Software Supply Chain and DevOps Security Practices

DevOps brings together software development and operations to shorten development cycles, allow organizations to be agile, and maintain the pace of innovation while taking advantage of cloud-native technology and practices. Industry and government have fully embraced and are rapidly implementing these practices to develop and deploy software in operational environments, often without a full understanding and consideration of security.

This project is intended to help enable organizations to maintain the velocity and volume of software delivery in a cloud-native way and take advantage of automated tools

The NCCoE intends to demonstrate DevSecOps practices that would apply to organizations of all sizes and from all sectors, and to development for information technology (IT), operational technology (OT), Internet of Things (IoT), and other technology types.
Status: Preparing Draft

This project is currently in the build phase. The project team is currently preparing a draft of the practice guide. Once a draft is completed, the publication will be available for public comment.

Project Abstract

To help improve the security of DevOps practices, the NCCoE is planning a DevSecOps project that will focus initially on developing and documenting an applied risk-based approach and recommendations for secure DevOps and software supply chain practices consistent with the Secure Software Development Framework (SSDF), Cybersecurity Supply Chain Risk Management (C-SCRM), and other NIST, government, and industry guidance. DevSecOps helps ensure that security is addressed as part of all DevOps practices by integrating security practices and automatically generating security and compliance artifacts throughout the process, including software development, builds, packaging, distribution, and deployment.

This project will apply these DevSecOps practices in proof-of-concept use case scenarios that will each be specific to a technology, programming language, and industry sector. Both commercial and open source technology will be used to demonstrate the use cases. Also, as part of this project, NIST will bring together and normalize content on DevSecOps practices from existing guidance and practices publications.

This project will result in a freely available NIST Cybersecurity Practice Guide.

The project will produce practical and actionable guidelines that meaningfully integrate security practices into development methodologies. Organizations could then apply the guidelines when choosing and implementing DevSecOps practices to improve the security of the software they develop and operate.

Collaborating Vendors

Organizations participating in this project submitted their capabilities in response to an open call in the Federal Register for all sources of relevant security capabilities from academia and industry (vendors and integrators). The following respondents with relevant capabilities or product components (identified as “Technology Partners/Collaborators” herein) signed a Cooperative Research and Development Agreement to collaborate with NIST in a consortium to build this example solution.

Join the Community of Interest

Employee speaking on video call with colleagues on online briefing with laptop at home

A Community of Interest (COI) is a group of professionals and advisors who share business insights, technical expertise, challenges, and perspectives to guide NCCoE projects. COIs often include experts, innovators, and everyday users of cybersecurity and privacy technologies. Share your expertise and consider becoming a member of this project's COI. 

Tell us about yourself

First & Last Name