SP 800-160 (Draft)

Systems Security Engineering Guideline: An Integrated Approach to Building Trustworthy Resilient Systems

Date Published: May 2016
Comments Due: July 1, 2016 (public comment period is CLOSED)
Email Questions to: sec-cert@nist.gov


Ron Ross (NIST), Michael McEvilley (MITRE), Janet Oren (PwC)


NIST announces the release of Draft SP 800-160, Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems.

The United States has developed incredibly powerful and complex systems-systems that are inexorably linked to the economic and national security interests of the Nation. The complete dependence on those systems for mission and business success in both the public and private sectors, including the critical infrastructure, has left the Nation extremely vulnerable to hostile cyber-attacks and other serious threats. With the continuing frequency, intensity, and adverse consequences of cyber-attacks, disruptions, hazards, and threats to federal, state, and local governments, the military, businesses, industry, and the critical infrastructure, the need for trustworthy secure systems has never been more important.

Engineering-based approaches to solutions are essential to managing the growing complexity, dynamicity, and interconnectedness of today's systems-as exemplified by cyber-physical systems and systems-of-systems, including the Internet of Things. Managing the complexity of today's systems and being able to claim that those systems are trustworthy and secure means that first and foremost, there must be a level of confidence in the feasibility and correctness-in-concept, philosophy, and design, regarding the ability of a system to function securely as intended. Failure to address the complexity issue in this manner will continue to leave the Nation susceptible to the consequences of an increasingly pervasive set of disruptions, hazards, and threats with potential for causing serious, severe, or even catastrophic consequences.

NIST Special Publication 800-160 attempts to bring greater clarity to the difficult and challenging problems associated with a systems-oriented viewpoint on realizing trustworthy secure systems-and does so through the considerations set forth in a set of standards-based systems engineering processes applied throughout the life cycle.



developmental engineering; disposal; engineering trades; field engineering; implementation; information security; information security policy; inspection; integration; penetration testing; protection needs; requirements analysis; resiliency; review; risk assessment; risk management; risk treatment; security architecture; security authorization; security design; security requirements; specifications; stakeholder; system-of-systems; system component; system element; system life cycle; systems; systems engineering; systems security engineering; trustworthiness; validation; Assurance; verification
Control Families

None selected


Second Draft SP 800-160
Press Release (May 4, 2016)

Supplemental Material:
Press Release (May 4, 2016) (other)
Initial Public Draft SP 800-160 (May 2014) (pdf)

Document History:
05/13/14: SP 800-160 (Draft)
05/04/16: SP 800-160 (Draft)
09/22/16: SP 800-160 (Draft)


Security and Privacy
risk management; systems security engineering