The National Institute of Standards and Technology (NIST) is once again reinforcing its role as a keystone in U.S. cybersecurity strategy. In response to Executive Order 14306, issued in June 2025 to bolster national cyber defense, NIST’s National Cybersecurity Center of Excellence (NCCoE), alongside 14 industry leaders, has launched a project aimed at embedding security throughout the software development lifecycle (SDLC). The initial deliverable: A draft of NIST Special Publication (SP) 1800-44, is now open for public comment.
Evolving Beyond the SSDF
In 2022, NIST published the Secure Software Development Framework (SSDF), a high-level set of best practices intended to guide secure software creation. SP 1800-44 builds on that foundation, translating SSDF’s broad concepts into actionable DevSecOps strategies and architectural guidance.
Where SSDF established the what, SP 1800-44 begins to define the how. It outlines secure SDLC practices spanning planning, development, testing, deployment, and operations. The draft focuses on integrating commercial off-the-shelf (COTS) tools, AI, and Zero Trust principles into CI/CD pipelines.
DevSecOps in Action
SP 1800-44 aims to go far beyond theory. Over time, it will present use case demonstrations across industries, programming languages, and platforms. These practical blueprints are intended to showcase how security can be added into DevOps practices by default.
Participating organizations include:
Their involvement ensures the eventual NIST Cybersecurity Practice Guide will feature realistic integration paths for organizations already committed to specific toolchains.
Key focus areas include:
- Automated vulnerability scanning in build pipelines
- Securing third-party code/library ingestion
- Enforcing Zero Trust access controls in dev environments
- Generating auditable compliance artifacts in real-time
Security Without Slowing Down
A central promise of DevSecOps is that security doesn’t have to come at the cost of agility. NIST’s guidelines embrace that ethos, showing how teams can write, test, and deploy code rapidly while preserving integrity and auditability.
The draft encourages adoption of AI-enabled security tools that:
- Detect anomalous behaviors in development environments
- Flag insecure code contributions in real time
- Automate remediation suggestions
- Support continuous compliance reporting
This approach is especially crucial for large, distributed teams working in multi-cloud environments. By codifying secure defaults and automating enforcement, teams reduce the human error and configuration drift that often lead to breaches.
Help Shape the Future
NIST is actively soliciting feedback on the draft SP 1800-44 until September 12, 2025. Additionally, a virtual event on August 27, 2025, will provide cybersecurity professionals with a platform to engage with the consortium, ask questions, and propose enhancements.
Cybersecurity leaders, developers, and compliance officers are encouraged to:
- Review the initial draft
- Provide input grounded in real-world implementation challenges
- Join NIST’s Community of Interest (COI) to stay engaged throughout the process
