The United States federal government, much like in industry, is moving toward cloud adoption, Devsecops and microservices-based architectures for cloud-native applications. The National Institute of Standards of Technology (NIST) is tasked with promoting innovation and providing standards and guidance to industry to facilitate best practices.
In that vein, NIST released in late September Implementation of devsecops for a Microservices-based Application with Service Mesh (800-204C), which provides comprehensive guidance for implementation of devsecops and using reference platforms to host cloud-native applications in a microservices architecture using a service mesh. The document, currently in draft form, was created in collaboration with former US Air Force Chief Software Officer Nicholas Challain and individuals from service mesh leader Tetrate.
The guidance uses the concepts of primitives, which can be thought of as building blocks for successful devsecops implementations, as they relate to devsecops. It makes the case that devsecops primitives are best suited for microservices-based applications that allow agile development. It also supports the notion that devsecops facilitates the business agility requirements demanded by cloud-native applications.
Here’s an analysis of what’s in each section of the NIST guidance.