NIST Special Publication 800-160, Systems Security Engineering — Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems
As part of its ongoing cybersecurity efforts, NIST has issued the first update to its flagship systems security engineering guidance document, Special Publication 800-160. The errata update, released on January 3, 2018, contains changes that are both substantive and editorial including: the addition of new “call out” boxes to emphasize the importance of applying the security design principles described in the publication to systems that are part of the U.S. critical infrastructure; updated graphics and additional hot links to improve the customer experience in using the guidance; and minor edits and corrections to the 2016 publication.
As the number and intensity of cyber-attacks on critical systems in the U.S. grow by the day, the adverse consequences and long-term debilitating effects on our national and economic security continue to be felt by federal agencies, corporations, small businesses, and individuals. While there has been great emphasis on and a significant increase in the use of the NIST Cybersecurity Framework, the NIST Risk Management Framework, and continuous monitoring tools, there has not been as much attention on the important issues of trust technologies and assurance that lead to trustworthy components and systems for consumers. These "below the water line" issues are addressed as part of systems security engineering throughout the entire system life cycle process. The system design principles and concepts described in NIST SP 800-160 are foundational to achieving the requisite levels of assurance for systems and system components to help ensure mission and business success and survival in the high-tech world of the 21st century.
NIST is issuing the update to SP 800-160 in advance of publishing a second systems security engineering document in March 2018 on cyber resiliency. The cyber resiliency publication will be the first in a series of systems security engineering specialty publications developed to support the SP 800-160 guidance. Other specialty topics for future publications include hardware security and assurance and software security and assurance. The objective is to provide consumers and producers of systems and system components the tools, techniques, and processes to achieve greater transparency and traceability of security requirements—leading to increased levels of trustworthiness in those systems and components. Nothing could be of greater importance in the continuing convergence of cyber and physical systems, the massive growth of Internet of Things (IoT) devices, and the ubiquitous network connectivity that exposes mission-essential systems, critical assets, and personal information to easily exploitable vulnerabilities—vulnerabilities that can and should be addressed during the system life cycle process that includes a rigorous application and consideration of security design concepts and principles.