
Embedding security, automation, and compliance into the heart of federal application delivery
Background
The National Institute of Standards and Technology (NIST) Office of Information Systems Management (OISM) Application Systems Division (ASD) develops and maintains a wide portfolio of mission-critical information systems. The ASD plays a crucial role in ensuring NIST’s internal and external systems are kept operational, secure, and compliant—a responsibility that NIST team members and external stakeholders depend on to securely and consistently access essential tools and data. To strengthen ASD’s Application Lifecycle Management (ALM) and Software Configuration Management (SCM) capabilities, NIST launched an ambitious modernization initiative focused on DevSecOps transformation.
ASSYST partnered with NIST’s Infrastructure Services Division (ISD), IT Security & Networking (ITSND), and Platform Services (PSD) to deliver this transformation, leveraging decades of experience in federal secure cloud modernization. The initiative advanced software delivery capabilities while aligning directly with FISMA, FedRAMP, Executive Order 14028 on Zero Trust, and OMB M-21-31 logging and observability mandates, ensuring compliance with national cybersecurity priorities. By embedding security and automation into the development lifecycle, the effort created a standards-aligned model for federal DevSecOps modernization.

Challenge
NIST’s goal was to transition from legacy, manual processes to a modern DevSecOps framework—with continuous integration, continuous deployment, automated validation checks and vulnerability scans, and containerization—while operating within strict security protocols.
The challenge was not just modernization, but proving how security could be embedded across the entire software delivery lifecycle, in alignment with NIST’s own standards and evolving federal cybersecurity directives.
Solution
Based on our understanding of the challenges, it was clear that streamlining and automating the development and operations processes for faster software release cycles in a secure cloud environment were the key requirements. ASSYST’s proposed solution was flexible, reliable, scalable, and offered great computing power; it was easy to use and cost-effective. ASSYST’s approach included a solution stack comprising a combination of cloud services and open-source technologies that addressed all the above challenges. ASSYST designed, developed, and deployed a secure, automated DevSecOps pipeline in the NIST AWS environment:
- Infrastructure as Code (IaC): Provisioned AWS infrastructure with Terraform, ensuring consistency, reproducibility, and auditability.
- CI/CD Pipeline Automation: Configured GitLab pipelines for containerized and non-containerized applications, reducing deployment friction and error rates.
- Integrated Security & Compliance: Embedded Clair vulnerability scans into ECR repositories for continuous monitoring, ensuring compliance with Zero Trust principles.
- Third-Party Integration: Integrated GitLab and SonarQube into AWS EKS Fargate, establishing automated quality checks and feedback loops consistent with NIST secure coding guidance.
Features
- IaC for automated, version-controlled environments
- CI/CD pipelines for standardized, repeatable deployments
- Continuous vulnerability scanning on every image push and nightly cycle
- Built-in compliance alignment with EO 14028, OMB M-21-31, and NIST DevSecOps guidance

Outcomes
This modernization delivered lasting improvements to NIST’s application delivery and security environment:
- Accelerated Deployment Cycles: Application releases moved from weeks to hours, with greater reliability and repeatability through automation.
- Flexible and Easy to use/configure/implement: ASSYST’s approach provided secure, resizable compute capacity in the cloud. The proven cloud computing containerized environments provide complete flexibility and freedom in managing computing resources and costs, ensuring and extracting maximum computing power. It was very easy and less time-consuming (minutes) to obtain and boot new pods and cloud services, compared to an on-premises or server instance model.
- Repeatable: Having optimized the CI/CD process, the entire codebase, scripts, and instructions were tested at each environment before being promoted, and faults and errors were quickly spotted and remediated.
- Scalable (Auto-Scaling): The ability to quickly scale capacity, both up and down, depending on the load and volume, was seamless.
- Security: Encryption set in transit and at rest. In addition to TLS encryption, in-transit encryption was successfully completed using the Java Cryptography Extension (JCE) for each part before storing the sensitive files in the cloud storage. Access to the data was easily controlled and managed.
- Parallel Processing: The processing time of large data submissions was drastically reduced due to parallel processing.
- Storage: In a cloud environment, storage is offered in different classes, depending on how frequently the data is accessed (for example, EBS, S3, Glacier, etc.). The cost benefits compared to an on-premises model for storing huge data were relatively low by using this model. The cloud Storage service also meets regulatory compliance standards, including PCI-DSS, HIPAA/HITECH, FedRAMP, and FISMA.
- Strengthened Security Posture: Vulnerabilities were detected earlier in the development lifecycle, effectively shifting security left and reducing production risk.
- Continuous Compliance: Automated controls ensured ongoing alignment with Zero Trust principles, FedRAMP, EO 14028, OMB M-21-31, FISMA guidelines, and NIST DevSecOps guidance.
- Operational Efficiency: Manual, time-intensive processes were eliminated, enabling teams to focus on mission-driven innovation.
- Replicable Model for Agencies: The initiative established a standards-aligned DevSecOps framework that other federal organizations can adopt—demonstrating ASSYST’s ability to deliver secure, automated, and compliant modernization at scale.