The United States continues to have complete dependence on information technology deployed in critical systems and applications in both the public and private sectors. From the electric grid to voting systems to the vast “Internet of Things," the Nation remains highly vulnerable to sophisticated cyber-attacks from hostile nation-state actors, criminal and terrorist groups, and rogue individuals. Advanced adversaries, collectively referred to as the Advanced Persistent Threat (APT), have the capability to breach our critical systems, establish an often undetected presence within those systems, and inflict immediate and long-term damage on the economic and national security interests of the Nation.
For the Nation to survive and flourish in the 21st century, where hostile actors in cyberspace are assumed and technology will continue to dominate every aspect of our lives, we must develop trustworthy, secure systems that are cyber-resilient. Cyber-resilient systems have security measures or safeguards “built in” as a foundational part of their architecture and design, enabling them to withstand cyber-attacks, faults, and failures and continue to operate even in a degraded or debilitated state to carry out the organization’s mission-essential functions.
NIST announces the release of NIST Special Publication (SP) 800-160 Volume 2, Developing Cyber Resilient Systems: A Systems Engineering Approach, which is the first in a series of specialty publications developed to support NIST SP 800-160 Volume 1, the flagship Systems Security Engineering guideline. Volume 2 addresses cyber resiliency considerations for two important yet distinct communities of interest:
- Engineering organizations developing new systems or upgrading legacy systems employing systems life cycle processes and
- Organizations with existing systems as part of their installed base currently carrying out day-to-day missions and business functions.
Both groups can apply the guidance and cyber resiliency considerations offered in this document to help ensure that the systems that they need, plan to provide, or have already deployed can survive when confronted by the APT.