NIST releases draft guidelines to strengthen secure software development practices; public comments open through Sept. 12, 2025.
NIST Consortium and draft guidelines focus on improving software development security
- A NIST consortium—comprising NCCoE computer security staff and 14 industry partners—has released a draft overview of guidelines to help organizations develop software securely and identify potential vulnerabilities.
- NIST is accepting public comments on the draft through Sept. 12 and will host a virtual event on Aug. 27 to present the project and gather feedback.
- The guidelines and consortium effort align with a June 2025 executive order aimed at enhancing national cybersecurity.
The U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) is working with industry partners through a consortium to improve software security and reduce vulnerability to cyber threats.
The Software Supply Chain and DevOps Security Practices Consortium is part of NIST’s implementation of White House Executive Order (EO) 14306, Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Order 13694 and Executive Order 14144. As directed by the order, the consortium will develop guidelines based on NIST’s Secure Software Development Framework (SSDF) to support secure software practices.
Led by NIST’s National Cybersecurity Center of Excellence (NCCoE), the consortium includes 14 member organizations.
The group’s objective is to develop guidelines to support security throughout the software development life cycle, including planning, testing, deployment, operation and maintenance.
Draft guidelines for public comment
The NCCoE has just released a preliminary draft of these guidelines as Secure Software Development, Security, and Operations (DevSecOps) Practices (NIST Special Publication (SP) 1800-44) for public comment. The current version outlines the project at a summary level. Future upadtes will include a reference model and implementation guidelines for the planned use cases.
The publication builds on the SSDF, which NIST released in 2022. While the SSDF outlines high-level secure software development practices, it does not provide detailed guidance on creating a secure development environment tailored to organizational needs. SP 1800-44 complements the SSDF by providing specific examples to support more reliable and efficient software development.
“The SSDF looks at building software holistically, helping organizations figure out what needs to be done to make their development environment more secure, how to protect it and find deficiencies that make it vulnerable,” said NCCoE’s Alper Kerman, one of the publication’s authors. “The draft guidelines we are developing will show how organizations can use commercial, off-the-shelf technologies and AI capabilities and apply zero trust principles and methodologies to create an efficient and secure development environment for producing fast and more reliable software.”
Secure development environments help teams collaborate during software development while restricting unauthorized access. These environments are receiving more attention, as vulnerabilities may arise at any stage of the software development life cycle, Kerman said.
“You have to have an environment to write code in, where the whole team of developers can access it and update the code in an agile fashion,” Kerman said. “But when you are writing code, a team member might bring in code libraries from other parties, for example. We will outline best practices for minimizing the likelihood that vulnerabilities might creep in as a result, such as effective ways to scan the code for trouble spots.”
NIST is accepting comments online from the public on the preliminary draft guidelines through Sept. 12, 2025. The agency plans to release additional drafts guidelines in stages over the course of the project, each followed by a public comment period.
For those interested in contributing to the development of the draft guidelines, NIST is planning a virtual event for 1 p.m. EDT, Aug. 27, 2025, to highlight the project’s goals, as well as gather feedback and additional insight for the project. Registration for the event is available online. NIST invites public to join its Community of Interest. The project is open to participation from any interested organizations. For more information, write to [email protected].
Edited by Puja Mitra, WTWH Media, for Control Engineering, from a NIST news release.
