Implementing Risk-Based Approach to DevSecOps: Final Project Description Released

The National Cybersecurity Center of Excellence (NCCoE) has released the final project description, Software Supply Chain and DevOps Security Practices: Implementing a Risk-Based Approach to DevSecOps. The publication of this project description continues the process to further identify project requirements and scope, along with hardware and software components for use in the laboratory environment.

The project will focus initially on developing and documenting an applied risk-based approach and recommendations for secure DevOps and software supply chain practices consistent with the Secure Software Development Framework (SSDF), Cybersecurity Supply Chain Risk Management (C-SCRM), and other NIST, government, and industry guidance. This project will apply these practices in proof-of-concept use case scenarios that are each specific to a technology, programming language, and industry sector. Both closed-source and open-source technology will be used to demonstrate the use cases. This project will result in a freely available NIST Cybersecurity Practice Guide.

Next Steps

In the coming months, the NCCoE DevSecOps team will be publishing a Federal Register Notice (FRN) based on the final project description. If you have interest in participating in this project with us as a collaborator, you will have the opportunity to complete a Letter of Interest (LOI) where you can present your capabilities. Completed LOIs are considered on a first-come, first-served basis within each category of components or characteristics listed in the FRN, up to the number of participants in each category necessary to carry out the project build.

/Public Release. This material from the originating organization/author(s) might be of the point-in-time nature, and edited for clarity, style and length. Mirage.News does not take institutional positions or sides, and all views, positions, and conclusions expressed herein are solely those of the author(s).View in full here.