U.S. flag   An unofficial archive of your favorite United States government website
Dot gov

Official websites do not use .rip
We are an unofficial archive, replace .rip by .gov in the URL to access the official website. Access our document index here.

Https

We are building a provable archive!
A lock (Dot gov) or https:// don't prove our archive is authentic, only that you securely accessed it. Note that we are working to fix that :)

Project Description (Initial Public Draft)

Software Supply Chain and DevOps Security Practices: Implementing a Risk-Based Approach to DevSecOps

Date Published: July 21, 2022
Comments Due: August 22, 2022 (public comment period is CLOSED)
Email Questions to: devsecops-nist@nist.gov

Author(s)

Karen Scarfone (Scarfone Cybersecurity), Murugiah Souppaya (NIST)

Announcement

The NCCoE has released this draft Project Description, which begins a process to solicit public comments for the project requirements, scope, and hardware and software components for use in a laboratory environment.

The project will focus initially on developing and documenting an applied risk-based approach and recommendations for secure DevOps and software supply chain practices consistent with the Secure Software Development Framework (SSDF), Cybersecurity Supply Chain Risk Management (C-SCRM), and other NIST, government, and industry guidance. This project will apply these practices in proof-of-concept use case scenarios that are each specific to a technology, programming language, and industry sector. Both commercial and open source technology will be used to demonstrate the use cases. This project will result in a freely available NIST Cybersecurity Practice Guide. 

Review the project description and submit comments online on or before August 22, 2022. You can also help shape and contribute to this project by joining the NCCoE’s DevSecOps Community of Interest. Send an email to devsecops-nist@nist.gov detailing your interest. 

We value and welcome your input and look forward to your comments. 
 
 

Abstract

Keywords

cloud-native technology; cybersecurity supply chain risk management; DevOps; DevSecOps; secure software development; Secure Software Development Framework (SSDF); supply chain security
Control Families

Assessment, Authorization and Monitoring; System and Services Acquisition; System and Communications Protection; System and Information Integrity

Documentation

Publication:
Draft Project Description (pdf)

Supplemental Material:
Project homepage

Document History:
07/21/22: Project Description (Draft)
11/09/22: Project Description (Final)