Existing Work to Leverage

NIST will leverage existing guidance, practices, and recommendations that may be applicable to DevSecOps. They have been and are being developed by NIST and other US government (USG) agencies, standards development organizations (SDOs), industry, and academia. NIST will also develop mappings to existing informative references to ensure the relationships among frameworks, guidance, practices, and recommendations are clear.

NIST held a virtual workshop in January 2021 on improving the security of DevOps practices; you can access the workshop recording and materials here.

Potential work that can be leveraged includes:

NIST Frameworks

• Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1
• Risk Management Framework (RMF) Overview
• Secure Software Development Framework (SSDF)
• Workforce Framework for Cybersecurity (NICE Framework)

NIST Technology Projects

• Hardware Roots of Trust
• National Checklist Program
• Online Informative References (OLIR)
• Open Security Controls Assessment Language
• Security Content Automation Protocol (SCAP)
• Software Assurance Reference Dataset (SARD)

NIST Technology Guidelines

• Application Container Security Guide (SP 800-190)
• Building Secure Microservices-based Applications Using Service-Mesh Architecture (SP 800-204A)
• Developing Cyber Resilient Systems: A Systems Security Engineering Approach (SP 800-160 Vol. 2)
• Guide to Enterprise Patch Management Technologies (SP 800-40 Rev. 3)
• Guide to Security for Full Virtualization Technologies (SP 800-125)
• Hardware-Enabled Security for Server Platforms: Enabling a Layered Approach to Platform Security for Cloud and Edge Computing Use Cases
• Secure Virtual Network Configuration for Virtual Machine (VM) Protection (SP 800-125B)
• Security Recommendations for Server-based Hypervisor Platforms (SP 800-125A Rev. 1)
• Security Strategies for Microservices-based Application Systems (SP 800-204)
• Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems (SP 800-160 Vol. 1)
• Zero Trust Architecture (SP 800-207)

Government, Industry, and Academia Guidance and Practices

• BSA | The Software Alliance
• Carnegie Mellon University (CMU) Software Engineering Institute (SEI) DevOps Blog
• Center for Internet Security (CIS) Benchmarks
• Cloud Security Alliance (CSA) DevSecOps Working Group
• Consortium for Information & Software Quality (CISQ) automated software measurement standards
• Cyber Security & Information Systems Information Analysis Center (CSIAC)
• Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIGs)
• Department of Defense (DoD) Enterprise DevSecOps Initiative
• General Services Administration (GSA) Tech Guides on DevSecOps
• Papers and presentations from the International Workshop on Secure Software Engineering in DevOps and Agile Development
• Software Assurance Forum for Excellence in Code (SAFECode) publications on secure software development
• Additional industry-recommended practices