NIST opens first RESTful API security standard for comment

SP 800-228A is a companion to SP 800-228, the broader API security standard. The new draft narrows the focus to RESTful APIs specifically, stateless HTTP-based architectures that are the most common API type in federal and defense environments. It organizes controls around two phases: pre-runtime (design, development, testing) and runtime (deployment, monitoring, incident response), a structure that maps more naturally onto DevSecOps workflows than the static control families in 800-171. The publication matters because RESTful APIs are widely deployed across the defense industrial base for system integration, data exchange, and CI/CD pipelines. But 800-171 Rev. 3 control mappings, built around system boundaries and configuration management, never cleanly addressed RESTful API architectures. Assessors have applied general controls by analogy. SP 800-228A gives both assessors and the contractors they audit a specific reference. The open question is adoption. NIST has not indicated whether SP 800-228A will be incorporated into the 800-171 assessment framework or cited in DFARS rulemaking or CMMC scoping guidance. Until finalization, which is unlikely before late 2026 given the July comment deadline, contractors should treat the draft as the likely direction of travel and map their API security practices against it now, particularly for systems handling CUI.