We are grateful for the opportunity to contribute to the National Institute of Standards and Technology’s (NIST) SP 1800-44 Volume B – DevSecOps Architecture. This publication represents a significant step forward in defining a reference architecture for secure software development, and we appreciate the collaborative efforts of all involved. Security is woven throughout the development lifecycle, addressing challenges such as open-source risk, software supply chain integrity, Software Bill of Materials (SBOM) requirements, insider threats, and Zero Trust principles.
Our team at Microsoft was honored to share frameworks, tools, and expertise to help deploy and configure secure Azure DevOps and GitHub environments.
These efforts were complemented by open-source tooling and partner solutions, resulting in CI/CD examples that reflect industry's best practices. Some of the contributions from Microsoft included:
- OpenSSF Secure Supply Chain Consumption Framework (S2C2F) – this is a framework of requirements, organized into a maturity model that is hyper-focused on how to securely consume open-source dependencies into the developer’s workflow.
- Microsoft SBOM tool – General purpose, cross-platform, open source SBOM generator that produces SPDX SBOMs at build time.
- Copacetic – Open-source tool that automates patching containers at build time.
- GitHub Advanced Security – suite of tools available on GitHub and Azure DevOps that perform static code analysis scans, software composition analysis, automated dependency updates, and more.
- Defender for Cloud DevOps security – provides a centralized console to empower security teams to protect applications and resources from code to cloud across multi-pipeline environments, including Azure DevOps, GitHub, and GitLab.
Volume B also explores how AI can automate requirements management, code generation, vulnerability analysis, and risk mitigation across the software development lifecycle. These AI-assisted capabilities, embedded within a Zero Trust framework, enforce least privilege and continuous validation. With human oversight, transparency, and audit trails, this approach aims to support secure, compliant automation—reflecting our ongoing commitment to trustworthy DevSecOps.
This project is a collaborative effort led by the National Cybersecurity Center of Excellence (NCCoE) through the National Cybersecurity Excellence Partnership (NCEP) consortium, with NIST guiding the work. We are one of many contributors, and we value the broader industry partnership that makes this work possible. The NCCoE brings together government, industry, and academia to address critical cybersecurity challenges and develop practical, standards-based solutions.
Why NIST’s SP 1800-44 Volume B Matters
Volume B provides a practical blueprint for secure development that organizations can adopt with confidence. Many small and medium-sized businesses struggle to understand what a secure DevOps configuration should look like, or how the DevSecOps lifecycle differs from DevOps. The work in Volume B addresses this challenge by describing the industry best practices for the components and activities in each lifecycle phase, mapping them to NIST SP 800-218 Secure Software Development Framework (SSDF) and noting where AI integrates with activities. This work was validated against two reference builds—one exercising Microsoft’s entire developer stack, and a similar industry stack, deployed on the Azure platform—ensuring NIST guidance reflects real-world, proven practices. As Volume B enters its public comment phase, we encourage the community to participate and help shape its future direction.
Microsoft’s Contributions
Through participation in the NCEP consortium’s work with NCCoE, we have shared solutions that can be adopted across sectors, supporting the nation’s critical infrastructure by fostering innovation and collaboration among stakeholders. Key contributions include:
- Helping develop the first reference build for NIST’s SP 1800-44 Volume B
- Supporting the elevation of the SSDF to national and international standards
- Sharing practical insights from our engineering practices to ensure guidance is actionable and scalable
- Providing real-world examples of tools and configurations to achieve end-to-end supply chain security, fused with DevSecOps, and extended through deployment into the operational phase in Azure
We see our role as both solution builder and platform provider, and we strive to support standards that matter most to customers and regulators.
Connecting DevSecOps, Zero Trust, and the Secure Future Initiative
While DevSecOps is the focus, for Microsoft it is built on foundational principles:
- Zero Trust Architecture (ZTA): The security model underpinning modern DevSecOps.
- Secure Future Initiative (SFI): Microsoft’s implementation of Zero Trust, now mapped to NIST CSF for global alignment.
This integration ensures that DevSecOps guidance is secure-by-design and consistent with widely recognized frameworks—boosting customer confidence worldwide.
Looking Ahead
This is just the beginning. Volume A started the journey, and Volume B continues the momentum, with more volumes to follow. As future volumes roll out, Microsoft will continue to share tools, insights, and best practices to help organizations adopt secure development at scale. By partnering with government institutions and industry participants, we’re shaping the future of cybersecurity—together.
Call to Action
Engage in the public comment phase for SP 1800-44 Volume B and help define the next generation of secure software development.
Learn more about Microsoft Security solutions
Microsoft