NIST Consortium and Draft Guidelines Aim to Improve Security in Software Development

GAITHERSBURG, Md. — To support the creation of software that is secure against cyber breaches and free of malicious code, the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) is working with industry partners through a consortium focused on improving software security.

The Software Supply Chain and DevOps Security Practices Consortium is part of NIST’s response to White House Executive Order (EO) 14306, Sustaining Select Efforts to Strengthen the Nation's Cybersecurity and Amending Executive Order 13694 and Executive Order 14144. As stipulated in the EO, the consortium will develop guidelines that demonstrate the implementation of best practices based on NIST’s Secure Software Development Framework (SSDF).

Led by NIST’s National Cybersecurity Center of Excellence (NCCoE), the consortium includes 14 member organizations.

The group’s objective is to develop guidelines that will help improve security at all stages of the software development life cycle, from a software product’s initial planning and testing to its deployment, operation and maintenance in real-world environments.

Draft Guidelines for Public Comment

The NCCoE has just released a preliminary draft of these guidelines as Secure Software Development, Security, and Operations (DevSecOps) Practices (NIST Special Publication (SP) 1800-44) for public comment. The current version provides a high-level overview of the project. Future iterations will include a detailed reference model and specific implementation guidelines for each of the project’s planned use cases.

The publication aligns with and expands upon the SSDF, which NIST released in 2022. While the SSDF provides a core set of high-level secure software development practices, it does not go into detail about how an organization might create a secure development environment that fits the organization’s objectives. SP 1800-44 will complement the SSDF by offering specific examples of how to create that environment, leading to consistently trustworthy and quicker software development.

“The SSDF looks at building software holistically, helping organizations figure out what needs to be done to make their development environment more secure, how to protect it and find deficiencies that make it vulnerable,” said NCCoE’s Alper Kerman, one of the publication’s authors. “The draft guidelines we are developing will show how organizations can use commercial, off-the-shelf technologies and AI capabilities and apply zero trust principles and methodologies to create an efficient and secure development environment for producing fast and more reliable software.”

Development environments with security practices in place allow teams to collaborate during the creation of software while preventing unauthorized individuals from accessing their work. These environments are growing in importance as vulnerabilities can crop up at every stage in the software development life cycle, Kerman said.

“You have to have an environment to write code in, where the whole team of developers can access it and update the code in an agile fashion,” Kerman said. “But when you are writing code, a team member might bring in code libraries from other parties, for example. We will outline best practices for minimizing the likelihood that vulnerabilities might creep in as a result, such as effective ways to scan the code for trouble spots.”

NIST is accepting comments online from the public on the preliminary draft guidelines until Sept. 12, 2025. The agency plans to release additional drafts of the guidelines incrementally throughout the life of the project, accompanied by public comment periods.

For those interested in contributing to the development of the draft guidelines, NIST is planning a virtual event for 1 p.m. EDT, Aug. 27, 2025, to highlight the project’s goals, as well as gather feedback and additional insight for the project. Registration for the event is available online. In addition, NIST invites the public to join its Community of Interest. Participation in the project is open to all interested organizations. For more information, write to NCCoE-DevSecOps [at] list.nist.gov (NCCoE-DevSecOps[at]list[dot]nist[dot]gov).