NIST Consortium Releases Draft Guidelines to Strengthen Software Security

USA: NIST Consortium Releases Draft Guidelines to Strengthen Software Security

A draft set of guidelines aimed at improving software security across the development lifecycle has been released for public comment, targeting developers, vendors, and organizations seeking to mitigate cyber risks. The initiative stems from the National Institute of Standards and Technology’s (NIST) Software Supply Chain and DevOps Security Practices Consortium, which was formed in response to multiple White House Executive Orders, including EO 14306, EO 13694, and EO 14144.

Consortium Composition and Objectives

The consortium, led by NIST’s National Cybersecurity Center of Excellence (NCCoE), comprises 14 member organizations from industry and academia. Its primary goal is to create detailed guidelines that expand upon NIST’s Secure Software Development Framework (SSDF) released in 2022, offering concrete practices for each phase of software creation, testing, deployment, and maintenance.

Draft Guidelines for Public Review

NCCoE has published a preliminary draft titled “Secure Software Development, Security, and Operations (DevSecOps) Practices” (NIST Special Publication 1800-44). The document provides a high‑level overview of the project and will be refined in subsequent versions to include a detailed reference model and specific implementation instructions for identified use cases.

Key Focus Areas Highlighted

According to Alper Kerman, a co‑author from NCCoE, the draft emphasizes the use of commercial off‑the‑shelf technologies, artificial‑intelligence capabilities, and zero‑trust principles to build efficient and secure development environments. The guidelines also address practices for scanning third‑party code libraries and preventing unauthorized access during collaborative development.

Public Participation and Upcoming Event

NIST is accepting comments online until September 12, 2025. A virtual briefing is scheduled for 1 p.m. EDT on August 27, 2025, to discuss the project’s goals and gather stakeholder feedback. Interested parties can register online and join the NIST Community of Interest via email at NCCoE-DevSecOps@list.nist.gov.

Future Development Timeline

The agency plans to release additional draft iterations incrementally, each accompanied by a public comment period, to refine the guidelines throughout the project’s lifespan and support the broader adoption of secure software development practices.

This report is based on information from NIST, licensed under Public Domain (U.S. Government Work). Source: Official U.S. Government release.