The National Cybersecurity Center of Excellence (NCCoE) has released the final project description, Software Supply Chain and DevOps Security Practices: Implementing a Risk-Based Approach to DevSecOps. The publication of this project description continues the process to further identify project requirements and scope, along with hardware and software components for use in the laboratory environment.
The project will focus initially on developing and documenting an applied risk-based approach and recommendations for secure DevOps and software supply chain practices consistent with the Secure Software Development Framework (SSDF), Cybersecurity Supply Chain Risk Management (C-SCRM), and other NIST, government, and industry guidance. This project will apply these practices in proof-of-concept use case scenarios that are each specific to a technology, programming language, and industry sector. Both closed-source and open-source technology will be used to demonstrate the use cases. This project will result in a freely available NIST Cybersecurity Practice Guide.
Next Steps
In the coming months, the NCCoE DevSecOps team will be publishing a Federal Register Notice (FRN) based on the final project description. If you have interest in participating in this project with us as a collaborator, you will have the opportunity to complete a Letter of Interest (LOI) where you can present your capabilities. Completed LOIs are considered on a first-come, first-served basis within each category of components or characteristics listed in the FRN, up to the number of participants in each category necessary to carry out the project build.
If you have any questions, please reach out to our project team at devsecops-nist [at] nist.gov (devsecops-nist[at]nist[dot]gov).