U.S. flag   An unofficial archive of your favorite United States government website
Dot gov

Official websites do not use .rip
We are an unofficial archive, replace .rip by .gov in the URL to access the official website. Access our document index here.

Https

We are building a provable archive!
A lock (Dot gov) or https:// don't prove our archive is authentic, only that you securely accessed it. Note that we are working to fix that :)

SP 800-204C (Draft)

Implementation of DevSecOps for a Microservices-based Application with Service Mesh

Date Published: September 29, 2021
Comments Due: November 1, 2021 (public comment period is CLOSED)
Email Questions to: sp800-204c-comments@nist.gov

Author(s)

Ramaswamy Chandramouli (NIST)

Announcement

The newest generation of software applications—"cloud-native applications"—is a class with various functional layers, such as transaction logic, application services, infrastructure resources, policy enforcement, and monitoring of states. The unique architecture of this application class requires a more agile software life cycle paradigm, and DevSecOps (development, security, and operations) offers faster deployment and updates, while integrating security throughout the life cycle.

Draft NIST SP 800-204C provides guidance for the implementation of DevSecOps primitives for a reference platform hosting a cloud-native application with the functional layers described above. The guidance also discusses the benefits of this approach for high security assurance and enabling continuous authority to operate (C-ATO).

NOTE: A call for patent claims is included on page iii of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy--Inclusion of Patents in ITL Publications.

Abstract

Keywords

container orchestration and resource management platform; DevSecOps; CI/CD pipelines; infrastructure as code; policy as code; observability as code; GitOps; workflow models; static AST; dynamic AST; interactive AST; SCA
Control Families

None selected

Documentation

Publication:
SP 800-204C (Draft) (DOI)
Local Download

Supplemental Material:
None available

Document History:
09/29/21: SP 800-204C (Draft)
03/08/22: SP 800-204C (Final)