NIST Cybersecurity

Software Supply Chain and DevOps Security Practices

Sagittal AI is collaborating with the National Cybersecurity Center of Excellence (NCCoE) in Software Supply Chain and DevOps Security Practices to develop and implement a risk-based approach to DevOps security. NIST does not evaluate commercial products under this Consortium and does not endorse any product or service used. Additional information on this Consortium can be found at: NIST Software Supply Chain and DevOps Security Practices.

This project is intended to help enable organizations to maintain the velocity and volume of software delivery in a cloud-native way and take advantage of automated tools

The NCCoE intends to demonstrate DevSecOps practices that would apply to organizations of all sizes and from all sectors, and to development for information technology (IT), operational technology (OT), Internet of Things (IoT), and other technology types.

Project Abstract

To help improve the security of DevOps practices, the NCCoE is planning a DevSecOps project that will focus initially on developing and documenting an applied risk-based approach and recommendations for secure DevOps and software supply chain practices consistent with the Secure Software Development Framework (SSDF), Cybersecurity Supply Chain Risk Management (C-SCRM), and other NIST, government, and industry guidance. DevSecOps helps ensure that security is addressed as part of all DevOps practices by integrating security practices and automatically generating security and compliance artifacts throughout the process, including software development, builds, packaging, distribution, and deployment.

This project will apply these DevSecOps practices in proof-of-concept use case scenarios that will each be specific to a technology, programming language, and industry sector. Both commercial and open source technology will be used to demonstrate the use cases. Also, as part of this project, NIST will bring together and normalize content on DevSecOps practices from existing guidance and practices publications.

This project will result in a freely available NIST Cybersecurity Practice Guide.