NCCoE Releases Draft Project Description for DevSecOps

The National Cybersecurity Center of Excellence (NCCoE) has
released a new draft project description, Software Supply Chain and DevOps Security
Practices: Implementing a Risk-Based Approach to DevSecOps
Publication of this project description begins a process to solicit public
comments for the project requirements, scope, and hardware and software
components for use in a laboratory environment.

We want your feedback on this draft to help refine the project.
The comment period is now open and will close on August 22, 2022.

The project will focus initially on developing and documenting an
applied risk-based approach and recommendations for secure DevOps and software
supply chain practices consistent with the Secure Software Development
Framework (SSDF), Cybersecurity Supply Chain Risk Management (C-SCRM), and
other NIST, government, and industry guidance. This project will apply these
practices in proof-of-concept use case scenarios that are each specific to a
technology, programming language, and industry sector. Both commercial and open
source technology will be used to demonstrate the use cases. This project will
result in a freely available NIST Cybersecurity Practice Guide.

We Want to Hear from You!

Review the project description and submit comments online on or
before August 22, 2022. You can also help shape and contribute to this project
by joining the NCCoE’s DevSecOps Community of Interest. Send an email to detailing your

We value and welcome your input and look forward to your comments.