DevOps brings together software development and operations to shorten development cycles, allow organizations to be agile, and maintain the pace of innovation while taking advantage of cloud-native technology and practices. Industry and government have fully embraced and are rapidly implementing these practices to develop and deploy software in operational environments, often without a full understanding and consideration of security.
The NCCoE intends to demonstrate DevSecOps practices that would apply to organizations of all sizes and from all sectors, and to development for information technology (IT), operational technology (OT), Internet of Things (IoT), and other technology types.
To help improve the security of DevOps practices, the NCCoE is planning a DevSecOps project that will focus initially on developing and documenting an applied risk-based approach and recommendations for secure DevOps and software supply chain practices consistent with the Secure Software Development Framework (SSDF), Cybersecurity Supply Chain Risk Management (C-SCRM), and other NIST, government, and industry guidance. DevSecOps helps ensure that security is addressed as part of all DevOps practices by integrating security practices and automatically generating security and compliance artifacts throughout the process, including software development, builds, packaging, distribution, and deployment.
This project will apply these DevSecOps practices in proof-of-concept use case scenarios that will each be specific to a technology, programming language, and industry sector. Both commercial and open source technology will be used to demonstrate the use cases. Also, as part of this project, NIST will bring together and normalize content on DevSecOps practices from existing guidance and practices publications.
This project will result in a freely available NIST Cybersecurity Practice Guide.
The project will produce practical and actionable guidelines that meaningfully integrate security practices into development methodologies. Organizations could then apply the guidelines when choosing and implementing DevSecOps practices to improve the security of the software they develop and operate.
A Community of Interest (COI) is a group of professionals and advisors who share business insights, technical expertise, challenges, and perspectives to guide NCCoE projects. COIs often include experts, innovators, and everyday users of cybersecurity and privacy technologies. Share your expertise and consider becoming a member of this project's COI.