New Updates! NIST’s Live Document on Secure Software Development Practices

National Institute of Standards and Technology (NIST) sent this bulletin at 03/24/2026 01:51 PM EDT
NIST

View As Web Page
Header

National Cybersecurity Center of Excellence
Now Available! New Live Guidelines for Secure Software DevSecOps Practices

Comment Now: New Live Guidelines for Secure Software Development, Security, and Operations Practices

The NIST National Cybersecurity Center of Excellence (NCCoE) is releasing a live document as part of its Secure Software Development, Security, and Operations (DevSecOps) Practices project. This project demonstrates how organizations can implement the security practices and tasks recommended in the NIST Secure Software Development Framework (SSDF) using modern DevSecOps pipelines and commercially available technology. The live document is open for public comment until April 24, 2026.

This release provides several components of the NCCoE DevSecOps demonstration, including:

  1. An updated Executive Summary and Introduction, highlighting the purpose and background of this project.
  2. A notional reference model for DevSecOps to demonstrate the NIST SSDF.
  3. Details on the first example implementation, which demonstrates DevSecOps practices in a Microsoft Azure-based environment.
  4. An appendix highlighting industry collaborators in the project and their technologies used in the demonstration environment.

Background

The live document shares findings from the NCCoE's collaborative, demonstrative applied research project with 14 technology companies, who contributed technologies, expertise, and operational insights. This project demonstrates and documents practical approaches for integrating SSDF practices into modern DevSecOps pipelines using commercially available technologies. By automating and standardizing security considerations throughout the development lifecycle, the project aims to help organizations improve efficiency, strengthen software supply chain security, and provide greater assurance that secure software development practices are consistently applied.

As part of NIST’s response to Executive Order (EO) 14306Sustaining Select Efforts to Strengthen the Nation's Cybersecurity and Amending Executive Order 13694 and Executive Order 14144, this project will showcase examples of secure software development practices that fundamentally bolster the security of DevSecOps practices by implementing the SSDF's recommendations.

Next Steps

Unlike traditional static publications, this live document will be updated on a rolling basis with additional implementations and technical findings as the work with collaborators in the laboratory continues. In the coming months, the NCCoE will publish use case scenarios for the initial example implementation, as well as details on other example implementations showcasing several development platforms and tools. The NCCoE will also release an analysis that decomposes NIST SSDF practices and tasks into more granular and actionable tasks, illustrating their application within the project's DevSecOps model.

We Want Your Feedback!

We encourage you to review the newly available resources and submit comments by April 24, 2026.

Want to stay up to date on this project? Join the NCCoE DevSecOps Community of Interest (COI) to receive project updates and share your technical expertise with the team.

Comment Now!

NIST Cybersecurity and Privacy Program
Questions/Comments about this notice: nccoe-devsecops@list.nist.gov
NCCoE Website questions: nccoe@nist.gov