Guidelines for API Protection for Cloud-Native Systems | Draft SP 800-228 Available for Public Comment

The initial public draft (ipd) of NIST Special Publication (SP) 800-228, Guidelines for API Protection for Cloud-Native Systems, is now available for public comment.

Modern enterprise IT systems rely on a family of application programming interfaces (APIs) for integration to support organizational business processes. Hence, a secure development and deployment of APIs is critical for overall enterprise security. This, in turn, requires the identification of risk factors or vulnerabilities in various phases of the API life cycle and the development of controls or protection measures to prevent their exploits.

This document addresses the following aspects for achieving that goal:

1. The identification and analysis of risk factors or vulnerabilities introduced during various activities of API development and runtime,
2. Recommended basic and advanced controls and protection measures during the pre-runtime and runtime stages of APIs, and
3. An analysis of the advantages and disadvantages of various implementation options (i.e., patterns) for those controls to enable security practitioners to adopt an incremental, risk-based approach to securing their APIs.

The public comment period is open through May 12, 2025. See the publication details for a copy of the draft and instructions for submitting comments.

NOTE: A call for patent claims is included in the front matter of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy – Inclusion of Patents in ITL Publications.

NIST Cybersecurity and Privacy Program
Questions/Comments about this notice: sp800-228-comments@nist.gov
CSRC Website questions: csrc-inquiry@nist.gov