NCCoE Releases Final Project Description for DevSecOps

The National Cybersecurity Center of Excellence (NCCoE) has
released the final project description, Software
Supply Chain and DevOps Security Practices: Implementing a Risk-Based
Approach to DevSecOps.
The publication of this project
description continues the process to further identify project requirements
and scope, along with hardware and software components for use in the
laboratory environment.

The project will focus initially on developing and documenting
an applied risk-based approach and recommendations for secure DevOps and
software supply chain practices consistent with the Secure Software
Development Framework (SSDF), Cybersecurity Supply Chain Risk Management
(C-SCRM), and other NIST, government, and industry guidance. This project
will apply these practices in proof-of-concept use case scenarios that are
each specific to a technology, programming language, and industry sector.
Both closed-source and open-source technology will be used to demonstrate the
use cases. This project will result in a freely available NIST Cybersecurity
Practice Guide.

Next Steps

In the coming months, the NCCoE DevSecOps team will be
publishing a Federal Register Notice (FRN) based on the final project
description. If you have interest in participating in this project with us as
a collaborator, you will have the opportunity to complete a Letter of
Interest (LOI) where you can present your capabilities. Completed LOIs are
considered on a first-come, first-served basis within each category of
components or characteristics listed in the FRN, up to the number of
participants in each category necessary to carry out the project build.

If you have any questions, please reach out to our project team
at devsecops-nist@nist.gov.

Project Page