NIST Guidelines for API Protection in Cloud-Native Systems

NIST Publications

Published March 13th, 2026

Detected March 15th, 2026

Summary

The National Institute of Standards and Technology (NIST) has updated its guidelines for API protection in cloud-native systems. This update, NIST SP 800-228-upd1, provides recommendations for identifying risks and implementing controls throughout the API lifecycle.

View original document View source feed page

What changed

NIST has released an updated version of its Special Publication 800-228, focusing on API protection within cloud-native systems. The updated guidelines, published on March 13, 2026, address the identification and analysis of risks and vulnerabilities across the API development and runtime phases. It also recommends basic and advanced controls and protection measures, along with an analysis of implementation options to support an incremental, risk-based security approach for APIs critical to modern enterprise IT integration.

While these guidelines are non-binding, they offer essential best practices for organizations relying on APIs for business processes. Security practitioners should review the updated document to understand current threats and recommended controls for securing API development and runtime environments. The document aims to help organizations adopt a risk-based approach to API security, enhancing overall enterprise security.

What to do next

Review NIST SP 800-228-upd1 for updated API protection recommendations.
Assess current API security controls against NIST recommendations.
Implement recommended controls for API development and runtime stages based on risk assessment.

Source document (simplified)

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

PUBLICATIONS

Guidelines for API Protection for Cloud-Native Systems - March 2026 Update

Published

March 13, 2026

Author(s)

Ramaswamy Chandramouli, Zack Butcher

Abstract

Modern enterprise IT systems rely on a family of application programming interfaces (APIs) for integration to support organizational business processes. Hence, a secure deployment of APIs is critical for overall enterprise security. This, in turn, requires the identification of risk factors or vulnerabilities in various phases of the API life cycle and the development of controls or protection measures. This document addresses the following aspects of achieving that goal: (a) the identification and analysis of risk factors or vulnerabilities during various activities of API development and runtime, (b) recommended basic and advanced controls and protection measures during the pre-runtime and runtime stages of APIs, and (c) an analysis of the advantages and disadvantages of various implementation options for those controls to enable security practitioners to adopt an incremental, risk-based approach to securing their APIs. Citation Special Publication (NIST SP) - 800-228-upd1 Report Number 800-228-upd1 NIST Pub Series Special Publication (NIST SP) Pub Type NIST Pubs

Download Paper

https://doi.org/10.6028/NIST.SP.800-228-upd1 Local Download

Keywords

API, API endpoint, API gateway, API key, API schema, web application firewall. Information technology and Cybersecurity and privacy

Citation

Chandramouli, R.
and Butcher, Z.

(2026),
Guidelines for API Protection for Cloud-Native Systems - March 2026 Update, Special Publication (NIST SP), National Institute of Standards and Technology, Gaithersburg, MD, [online], https://doi.org/10.6028/NIST.SP.800-228-upd1, https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=961660       
  (Accessed March 14, 2026)