NIST/NCCoE has just published the final project description, Software Supply Chain and DevOps Security Practices: Implementing a Risk-Based Approach to DevSecOps.
The publication of this project description continues the process of further identifying project requirements and scope, along with hardware and software components for use in the laboratory environment.
The project will focus initially on developing and documenting an applied risk-based approach and recommendations for secure DevOps and software supply chain practices consistent with the Secure Software Development Framework (SSDF), Cybersecurity Supply Chain Risk Management (C-SCRM), and other NIST, government, and industry guidance. This project will apply these practices in proof-of-concept use case scenarios that are each specific to a technology, programming language, and industry sector. Both closed-source and open-source technology will be used to demonstrate the use cases. This project will result in a freely available NIST Cybersecurity Practice Guide.
In the coming months, the NCCoE DevSecOps team will publish a Federal Register Notice (FRN) based on the final project description. If you are interested in participating in this project with us as a collaborator, you will have the opportunity to complete a Letter of Interest (LOI) where you can present your capabilities. Completed LOIs are considered on a first-come, first-served basis within each category of components or characteristics listed in the FRN, up to the number of participants in each category necessary to carry out the project build.
Michael Roza CPA, CISA, CIA, MBA, Exec MBA