Microsoft appreciates the opportunity to participate in the National Institute of Standards and Technology’s (NIST) effort to evolve the Live Guidelines for Secure Software Development, Security, and Operations (DevSecOps) Practices, building on the original NIST SP 1800-44 publication. This living guidance reflects ongoing, collaborative work to document practical approaches for securing the software development lifecycle, addressing challenges such as open-source risk, software supply chain integrity, Software Bill of Materials (SBOM), insider threats, and Zero Trust principles.
This project is led by the National Cybersecurity Center of Excellence (NCCoE) through the National Cybersecurity Excellence Partnership (NCEP) consortium, with contributions from government, industry, and academia. The resulting guidance is intended to help organizations apply standards-based DevSecOps practices using reference implementations developed under NCCoE leadership.
Our team at Microsoft was honored to share frameworks, tools, and expertise to help deploy and configure secure Azure DevOps and GitHub environments.
These efforts were complemented by open-source tooling and partner solutions, resulting in CI/CD examples that reflect industry's best practices. Some of the contributions from Microsoft included:
- OpenSSF Secure Supply Chain Consumption Framework (S2C2F) – this is a framework of requirements, organized into a maturity model that is hyper-focused on how to securely consume open-source dependencies into the developer’s workflow.
- Microsoft SBOM tool – General purpose, cross-platform, open source SBOM generator that produces SPDX SBOMs at build time.
- GitHub Advanced Security – suite of tools available on GitHub and Azure DevOps that perform static code analysis scans, software composition analysis, automated dependency updates, and more.
- Defender for Cloud DevOps security – provides a centralized console to empower security teams to protect applications and resources from code to cloud across multi-pipeline environments, including Azure DevOps, GitHub, and GitLab.
Note: These tools are referenced solely as examples used in the NCCoE reference implementations. NIST and NCCoE do not evaluate, recommend, or endorse any commercial product or service.
The Live Guidelines for DevSecOps Practices also explore how AI can automate requirements management, code generation, vulnerability analysis, and risk mitigation across the software development lifecycle. These AI-assisted capabilities, embedded within a Zero Trust framework, enforce least privilege and continuous validation. With human oversight, transparency, and audit trails, this approach aims to support secure, compliant automation—reflecting our ongoing commitment to trustworthy DevSecOps. These examples are intended to inform discussion and public feedback as the guidance evolves, rather than prescribe specific implementations.
This project is a collaborative effort led by the National Cybersecurity Center of Excellence (NCCoE) through the National Cybersecurity Excellence Partnership (NCEP) consortium, with NIST guiding the work. We are one of many contributors, and we value the broader industry partnership that makes this work possible. The National Cybersecurity Center of Excellence (NCCoE), a part of the National Institute of Standards and Technology (NIST), is a collaborative hub where industry organizations, government agencies, and academic institutions work together to address businesses’ most pressing cybersecurity challenges. Through this collaboration, the NCCoE develops modular, adaptable example cybersecurity solutions demonstrating how to apply standards and best practices using commercially available technology. Information is available at: https://nccoe.nist.gov.
Why NIST’s Live Guidelines for Secure Software Development, Security, and Operations (DevSecOps) Practices Matters
The Live Guidelines for DevSecOps Practices provide a practical blueprint for secure development that organizations can adopt with confidence. Many small and medium-sized businesses struggle to understand what a secure DevOps configuration should look like, or how the DevSecOps lifecycle differs from DevOps. The work in the Live Guidelines for DevSecOps Practices addresses this challenge by describing the industry best practices for the components and activities in each lifecycle phase, mapping them to NIST SP 800-218 Secure Software Development Framework (SSDF) and noting where AI integrates with activities. This work was validated against two reference builds—one exercising Microsoft’s entire developer stack, and a similar industry stack, deployed on the Azure platform—ensuring NIST guidance reflects real-world, proven practices.
The Live Guidelines also explore how AI-assisted capabilities may support activities such as requirements management, code analysis, vulnerability identification, and risk mitigation across the software development lifecycle. When applied within a Zero Trust framework, these capabilities emphasize least-privileged access, continuous validation, transparency, and auditability, with appropriate human oversight.
As the Live Guidelines for DevSecOps Practices enters its public comment phase, we encourage the community to participate and help shape its future direction.
Microsoft’s Contributions
As part of the NCEP consortium, Microsoft is one of many contributors supporting the development of reference implementations used to validate the Live Guidelines for DevSecOps Practices. Contributors shared engineering experience, architectural patterns, and example configurations to help ensure the guidance reflects real-world deployment considerations across the software development lifecycle. Through participation in the NCEP consortium’s work with NCCoE, we have shared solutions that can be adopted across sectors, supporting the nation’s critical infrastructure by fostering innovation and collaboration among stakeholders. Key contributions include:
- Contributing engineering expertise and implementation experience to one of the reference builds developed under NCCoE leadership for NIST’s Live Guidelines for Secure Software Development, Security, and Operations (DevSecOps) Practices
- Supporting the elevation of the SSDF to national and international standards
- Sharing practical insights from our engineering practices to ensure guidance is actionable and scalable
- Providing real-world examples of tools and configurations to achieve end-to-end supply chain security, fused with DevSecOps, and extended through deployment into the operational phase in Azure
We see our role as both solution builder and platform provider, and we strive to support standards that matter most to customers and regulators.
Connecting DevSecOps, Zero Trust, and the Secure Future Initiative
While DevSecOps is the focus, for Microsoft it is built on foundational principles:
- Zero Trust Architecture (ZTA): The security model underpinning modern DevSecOps.
- Secure Future Initiative (SFI): Microsoft’s implementation of Zero Trust, now mapped to NIST Cybersecurity Framework (CSF) for global alignment.
This integration ensures that DevSecOps guidance is secure-by-design and consistent with widely recognized frameworks—boosting customer confidence worldwide.
Looking Ahead
This is just the beginning. NIST SP1800-44 DevSecOps Practices started the journey, and the updates in the Live Guidelines for DevSecOps Practices continue the momentum, with more resources to follow. As future resources roll out, Microsoft will continue to share tools, insights, and best practices to help organizations adopt secure development at scale. By partnering with government institutions and industry participants, we’re shaping the future of cybersecurity—together.
Next Steps
Engage in the public comment phase for the Live Guidelines for Secure Software Development, Security, and Operations (DevSecOps) Practices document and help define the next generation of secure software development.
Learn more about Microsoft Security solutions here.
Microsoft