{ "title": "NIST Draft Publications Open for Comment", "subtitle": "Many of NIST's cybersecurity and privacy publications are posted as drafts for public comment. Comment periods are still open for the following publications. Visit the links for downloads, related content, and instructions for submitting comments. Your thoughtful reviews and comments are greatly appreciated and help us to improve our standards and guidance.", "updated": "2026-04-04T05:00:49.9357413-04:00", "id": "https://csrc.nist.gov/csrc/media/feeds/pubs/drafts-open-for-comment.xml", "link": "https://csrc.nist.gov/publications/drafts-open-for-comment", "entries": [ { "id": "https://csrc.nist.gov/pubs/other/2026/03/24/devsecops-practices/iprd", "title": "Other Secure Software Development, Security, and Operations (DevSecOps) PracticesInitial Preliminary Draft", "summary": "

The NIST National Cybersecurity Center of Excellence (NCCoE) is releasing this live document as part of its Secure Software Development, Security, and Operations (DevSecOps) project. This project demonstrates how organizations can implement the security practices and tasks recommended in the NIST Secure Software Development Framework (SSDF) using modern DevSecOps pipelines and commercially available technology. The live document is open for public comment until April 24, 2026.

\n

This release provides several components of the NCCoE DevSecOps demonstration, including:

\n
    \n
  1. An updated Executive Summary and Introduction, highlighting the purpose and background of this project.
    2. \n
  2. A notional reference model for DevSecOps to demonstrate the NIST SSDF.
    3. \n
  3. Details on the first example implementation, which demonstrates DevSecOps practices in a Microsoft Azure-based environment.
    4. \n
  4. An appendix highlighting industry collaborators in the project and their technologies used in the demonstration environment.
    5. \n
\n
Background
\n

The live document shares findings from the NCCoE's collaborative, demonstrative applied research project with 14 technology companies, who contributed technologies, expertise, and operational insights. This project demonstrates and documents practical approaches for integrating SSDF practices into modern DevSecOps pipelines using commercially available technologies. By automating and standardizing security considerations throughout the development lifecycle, the project aims to help organizations improve efficiency, strengthen software supply chain security, and provide greater assurance that secure software development practices are consistently applied.

\n

As part of NIST’s response to Executive Order (EO) 14306Sustaining Select Efforts to Strengthen the Nation's Cybersecurity and Amending Executive Order 13694 and Executive Order 14144, this project will showcase examples of secure software development practices that fundamentally bolster the security of DevSecOps practices by implementing the SSDF's recommendations.

\n
Next Steps
\n

Unlike traditional static publications, this live document will be updated on a rolling basis with additional implementations and technical findings as the work with collaborators in the laboratory continues. In the coming months, the NCCoE will publish use case scenarios for the initial example implementation, as well as details on other example implementations showcasing several development platforms and tools. The NCCoE will also release an analysis that decomposes NIST SSDF practices and tasks into more granular and actionable tasks, illustrating their application within the project's DevSecOps model.

", "published": "2026-03-24T00:00:00", "updated": "2026-03-24T00:00:00", "link": "https://csrc.nist.gov/pubs/other/2026/03/24/devsecops-practices/iprd", "content": "Comments Due 04/24/2026" }, { "id": "https://csrc.nist.gov/pubs/sp/1347/ipd", "title": "SP 1347, NIST Cybersecurity Framework 2.0: Informative References Quick-Start GuideInitial Public Draft", "summary": "

The Initial Public Draft of SP 1347, NIST Cybersecurity Framework 2.0: Informative References Quick‑Start Guide, explains what informative references are and how they support achieving the outcomes of the NIST Cybersecurity Framework (CSF) 2.0. The guide also introduces readers to NIST tools available for accessing, viewing, and using informative references for cybersecurity risk management, including direct download, the CSF 2.0 Reference Tool, and the Online Informative References Program. The draft contains two sample use cases and provides an overview of how artificial intelligence tools can support reference data use.

", "published": "2026-03-23T00:00:00", "updated": "2026-03-23T00:00:00", "link": "https://csrc.nist.gov/pubs/sp/1347/ipd", "content": "Comments Due 05/06/2026" }, { "id": "https://csrc.nist.gov/pubs/sp/1800/42/ipd", "title": "SP 1800-42, Digital Identities – Mobile Driver’s License (mDL): Accelerating Development and Adoption of Digital Identity for Financial InstitutionsInitial Public Draft", "summary": "

Today, the NCCoE published technical resources to help financial institutions use mobile driver’s licenses (mDLs) for customer identification. NIST Special Publication 1800-42 ipd provides an updated reference architecture, implementation details, and key findings from the project.

\n

Compared to physical driver’s licenses, mobile driver’s licenses (mDLs) are easier to use for digital transactions and offer improved protections against fraud, identity theft, and unauthorized access. The NCCoE’s technology demonstration is tackling the security, privacy, and interoperability issues with mDLs.  

\n

This publication reflects insights from industry collaborators and lessons learned by developing a functional online demonstration using mDLs for customer identification. The publication provides a practical roadmap to enable adoption and implementation of mDLs for online financial management.

\n

Feedback

\n

You can improve this guide by contributing feedback. As an initial public draft, this document intends to gain critical feedback from stakeholders across government and industry on the implementation of mDL to support Customer Identification Programs and high assurance use cases more broadly. Comments are welcome on all aspects of this document and specifically encouraged on the following areas:

\n
    \n
  1. Implementation and Adoption Challenges. This document highlights challenges to the adoption of mDL technology learned through engagement with collaborators and stakeholders spanning technology providers, financial institutions, standards bodies and government agencies. However, additional insights on barriers to adoption can help focus the project and future phases of work and NIST’s engagement with standards development organizations.
    2. \n
  2. Regulatory and Compliance Alignment. This document offers insights into the ways in which mDL online presentation aligns with existing regulatory structures. Additional insights on other regulatory mappings, views on the degree to which alignment is achieved, and suggested clarifications are encouraged.
    3. \n
  3. Technology Transfer and Resources. This document as well as supporting resources are intended to aid in implementation of the technology in real world environments. The project team is highly interested in additional resources and tools which may further aid in both technical implementation and broader adoption of the technology.
    4. \n
  4. Threats and Threat Model. The threat model proposed here is intended to act as a starting point for members of the ecosystem to identify and prepare for how attacks may shift in an mDL environment. Input on approach, specific threats, and mitigations will be highly valuable in maturing this view and providing greater visibility into future risks. 
    5. \n
", "published": "2026-03-18T00:00:00", "updated": "2026-03-18T00:00:00", "link": "https://csrc.nist.gov/pubs/sp/1800/42/ipd", "content": "Comments Due 05/08/2026" } ] }