The NIST National Cybersecurity Center of Excellence (NCCoE) is seeking your feedback on a newly released live document that demonstrates how organizations can implement the security practices and tasks recommended in the NIST Secure Software Development Framework (SSDF) using modern DevSecOps pipelines and commercially available technology. The live document is open for public comment through this Friday, April 24, 2026.
This release provides several components of the NCCoE DevSecOps demonstration, including:
- An updated Executive Summary and Introduction, highlighting the purpose and background of this project.
- A notional reference model for DevSecOps to demonstrate the NIST SSDF.
- Details on the first example implementation, which demonstrates DevSecOps practices in a Microsoft Azure-based environment.
- An appendix highlighting industry collaborators in the project and their technologies used in the demonstration environment.
The live document shares the findings from the NCCoE’s collaborative, demonstrative applied research project with 14 technology companies, who contributed technologies, expertise, and operational insights.
Next Steps
Unlike traditional static publications, this live document will be updated on a rolling basis with additional implementations and technical findings as the work with collaborators in the laboratory continues. In the coming months, the NCCoE will publish use case scenarios for the initial example implementation, as well as details on other example implementations showcasing several development platforms and tools. The NCCoE will also release an analysis that decomposes NIST SSDF practices and tasks into more granular and actionable tasks, illustrating their application within the project’s DevSecOps model.
We Want Your Feedback!
You still have one week left to comment! These resources are open for public comment until April 24, 2026, at 11:59 P.M. EDT. To submit comments, use the comment template on the NCCoE project page