Date Published: March 24, 2026
Comments Due:
Email Comments to:
Author(s)
Alper Kerman (NIST), Michael Ogata (NIST), Parisa Grayeli (MITRE), Joshua Klosterman (MITRE), Phillip Millwee (MITRE), Deanna Stanley (MITRE), Allen Tan (MITRE), William Barker (Dakota Consulting), Sudan Ayanam (AMI), Stefano Righi (AMI), Chrissa Constantine (Black Duck), Tim Mackey (Black Duck), Rahul Dubey (CyberArk), James Imanian (CyberArk), Daniel Carroll (Dell Technologies), Daniel Jackson (Dell Technologies), Dean Cocklin (DigiCert), Dave Roche (DigiCert), Matt Brown (Endor Labs), Tom Gleason (Endor Labs), Paul Pickhardt (GitLab), MaryGrace Wajda (GitLab), Isaac Hepworth (Google), Brandon Lum (Google), Philippe Mulet (IBM), Harmeet Singh (IBM), Tal De La Rosa (Microsoft), Segu Riluvan (Microsoft), Mark Svancarek (Microsoft), Keng Lim (NextLabs), Sameer Shukla (NextLabs), Chima Onukwuru (Palo Alto Networks), Neil Roxburgh (Palo Alto Networks), Jose Palazon (Sagittal AI), Michael Smith (Sagittal AI), Guy Chernobrov (Scribe Security), Daniel Nebenzah (Scribe Security)
Announcement
The NIST National Cybersecurity Center of Excellence (NCCoE) is releasing this live document as part of its Secure Software Development, Security, and Operations (DevSecOps) project. This project demonstrates how organizations can implement the security practices and tasks recommended in the NIST Secure Software Development Framework (SSDF) using modern DevSecOps pipelines and commercially available technology. The live document is open for public comment until April 24, 2026.
This release provides several components of the NCCoE DevSecOps demonstration, including:
- An updated Executive Summary and Introduction, highlighting the purpose and background of this project.
- A notional reference model for DevSecOps to demonstrate the NIST SSDF.
- Details on the first example implementation, which demonstrates DevSecOps practices in a Microsoft Azure-based environment.
- An appendix highlighting industry collaborators in the project and their technologies used in the demonstration environment.
Background
The live document shares findings from the NCCoE's collaborative, demonstrative applied research project with 14 technology companies, who contributed technologies, expertise, and operational insights. This project demonstrates and documents practical approaches for integrating SSDF practices into modern DevSecOps pipelines using commercially available technologies. By automating and standardizing security considerations throughout the development lifecycle, the project aims to help organizations improve efficiency, strengthen software supply chain security, and provide greater assurance that secure software development practices are consistently applied.
As part of NIST’s response to Executive Order (EO) 14306, Sustaining Select Efforts to Strengthen the Nation's Cybersecurity and Amending Executive Order 13694 and Executive Order 14144, this project will showcase examples of secure software development practices that fundamentally bolster the security of DevSecOps practices by implementing the SSDF's recommendations.
Next Steps
Unlike traditional static publications, this live document will be updated on a rolling basis with additional implementations and technical findings as the work with collaborators in the laboratory continues. In the coming months, the NCCoE will publish use case scenarios for the initial example implementation, as well as details on other example implementations showcasing several development platforms and tools. The NCCoE will also release an analysis that decomposes NIST SSDF practices and tasks into more granular and actionable tasks, illustrating their application within the project's DevSecOps model.
Today’s software applications are typically constructed by combining a diverse range of elements, including components, frameworks, libraries, and tools. Rather than building everything from the ground up, developers often leverage a mix of internally developed and externally sourced components. This modular development approach, coupled with Development Operations (DevOps) practices that integrate development and operations teams, enables a modern software development process that delivers improved quality, reliability, agility, and efficiency, while also fostering collaboration among various teams. The adoption of Development, Security, and Operations (DevSecOps), a methodology that builds on the DevOps philosophy and integrates security into every phase of software development, is further accelerating this trend. Additionally, the utilization of cloud-native technologies and AI is enhancing security and optimizing efficiency. However, the complexities and rapid pace of modern software development can still introduce security risks, highlighting the need for continuous security monitoring and improvement. To address this challenge, the NCCoE is undertaking a project that demonstrates and documents risk-based approaches and recommendations for DevSecOps practices aligned with the NIST Secure Software Development Framework (SSDF). This project showcases secure software development by implementing example processes that adhere to the SSDF’s recommended practices.
Today’s software applications are typically constructed by combining a diverse range of elements, including components, frameworks, libraries, and tools. Rather than building everything from the ground up, developers often leverage a mix of internally developed and externally sourced components....
See full abstract
Today’s software applications are typically constructed by combining a diverse range of elements, including components, frameworks, libraries, and tools. Rather than building everything from the ground up, developers often leverage a mix of internally developed and externally sourced components. This modular development approach, coupled with Development Operations (DevOps) practices that integrate development and operations teams, enables a modern software development process that delivers improved quality, reliability, agility, and efficiency, while also fostering collaboration among various teams. The adoption of Development, Security, and Operations (DevSecOps), a methodology that builds on the DevOps philosophy and integrates security into every phase of software development, is further accelerating this trend. Additionally, the utilization of cloud-native technologies and AI is enhancing security and optimizing efficiency. However, the complexities and rapid pace of modern software development can still introduce security risks, highlighting the need for continuous security monitoring and improvement. To address this challenge, the NCCoE is undertaking a project that demonstrates and documents risk-based approaches and recommendations for DevSecOps practices aligned with the NIST Secure Software Development Framework (SSDF). This project showcases secure software development by implementing example processes that adhere to the SSDF’s recommended practices.
Hide full abstract
Keywords
DevOps; DevSecOps; Secure software development; Secure Software Development Framework (SSDF)
Control Families
None selected