Systems Security Engineering Publication Update

Thursday, January 25, 2018 @ 05:01 PM gHale

As the number and intensity of cyber attacks on critical systems in the U.S. continue to grow, the adverse consequences and long-term debilitating effects on our national and economic security continue to be felt by federal agencies, corporations, small businesses, and individuals.

As part of its ongoing cybersecurity efforts, National Institute of Standards and Technology (NIST) issued the first update to its flagship systems security engineering guidance document, Special Publication 800-160.

RELATED STORIES
Understanding Blockchain: Report
S4: Lean OT Security
Trojan Stealing Cryptocurrencies
ICS Alert: USB Malware Attack

The update, which released January 3, contains substantive and editorial changes, including, the addition of new “call out” boxes to emphasize the importance of applying the security design principles described in the publication to systems that are part of the U.S. critical infrastructure; updated graphics and additional hot links to improve the customer experience in using the guidance, and minor edits and corrections to the 2016 publication.

While there has been great emphasis on and a significant increase in the use of the NIST Cybersecurity Framework, the NIST Risk Management Framework, and continuous monitoring tools, there has not been as much attention on the important issues of trust technologies and assurance that lead to trustworthy components and systems for consumers.

These “below the water line” issues are addressed as part of systems security engineering throughout the entire system lifecycle process. The system design principles and concepts described in NIST SP 800-160 are foundational to achieving the requisite levels of assurance for systems and system components to help ensure mission and business success and survival in the high-tech world of the 21st century.

NIST is issuing the update to SP 800-160 in advance of publishing a second systems security engineering document in March 2018 on cyber resiliency.

The cyber resiliency publication will be the first in a series of systems security engineering specialty publications developed to support the SP 800-160 guidance.

Other specialty topics for future publications include hardware security and assurance and software security and assurance.

The objective is to provide consumers and producers of systems and system components the tools, techniques, and processes to achieve greater transparency and traceability of security requirements—leading to increased levels of trustworthiness in those systems and components.

Nothing could be of greater importance in the continuing convergence of cyber and physical systems, the massive growth of Internet of Things (IoT) devices, and the ubiquitous network connectivity that exposes mission-essential systems, critical assets, and personal information to easily exploitable vulnerabilities — vulnerabilities that can and should be addressed during the system lifecycle process that includes a rigorous application and consideration of security design concepts and principles.



Leave a Reply

You must be logged in to post a comment.