U.S. flag   An unofficial archive of your favorite United States government website
Dot gov

Official websites do not use .rip
We are an unofficial archive, replace .rip by .gov in the URL to access the official website. Access our document index here.

Https

We are building a provable archive!
A lock (Dot gov) or https:// don't prove our archive is authentic, only that you securely accessed it. Note that we are working to fix that :)

NIST SP 800-204D (Initial Public Draft)

Strategies for the Integration of Software Supply Chain Security in DevSecOps CI/CD pipelines

Date Published: August 30, 2023
Comments Due: October 13, 2023
Email Comments to: sp800-204d-comments@nist.gov

Author(s)

Ramaswamy Chandramouli (NIST), Frederick Kautz (TestifySec), Santiago Torres Arias (Purdue University)

Announcement

Cloud-native applications are made up of multiple loosely coupled components called microservices. This class of applications is generally developed through an agile software development life cycle (SDLC) paradigm called DevSecOps, which uses flow processes called continuous integration/continuous delivery (CI/CD) pipelines. Analyses of recent software attacks and vulnerabilities have led both government and private-sector organizations to focus on the activities involved in the entire SDLC. The collection of these activities is called the software supply chain (SSC). The integrity of these individual operations contributes to the overall security of an SSC, and threats can arise from attack vectors unleashed by malicious actors as well as defects introduced when due diligence practices are not followed during the SDLC.

Executive Order (EO) 14028, NIST’s Secure Software Development Framework (SSDF), other government initiatives, and industry forums have addressed security assurance measures for SSCs to enhance the security of all deployed software. This document focuses on actionable measures to integrate the various building blocks of SSC security assurance into CI/CD pipelines to prepare organizations to address SSC security in the development and deployment of their cloud-native applications.

NOTE: A call for patent claims is included on page ii of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy – Inclusion of Patents in ITL Publications.

Abstract

Keywords

actor; artifact; attestation; CI/CD pipeline; package; provenance; repository; SBOM; SDLC; SLSA; software supply chain
Control Families

None selected

Documentation

Publication:
https://doi.org/10.6028/NIST.SP.800-204D.ipd
Download URL

Supplemental Material:
None available

Document History:
08/30/23: SP 800-204D (Draft)