U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.


Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

SP 800-160 Vol. 1

Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems

Date Published: November 2016 (updated 3/21/2018)

Supersedes: SP 800-160 (01/03/2018)

Planning Note (7/14/2020):

A supplement to Appendix D is now available.

Also see NIST's Systems Security Engineering (SSE) Project.


Ron Ross (NIST), Michael McEvilley (MITRE), Janet Oren (Legg Mason)



field engineering; implementation; information security; information security policy; inspection; integration; penetration testing; protection needs; requirements analysis; resiliency; review; risk assessment; risk management; risk treatment; security architecture; security authorization; security design; security requirements; specifications; stakeholder; system-of-systems; system component; system element; system life cycle; systems; systems engineering; systems security engineering; trustworthiness; validation; verification; assurance; developmental engineering; engineering trades; disposal
Control Families

Access Control; Audit and Accountability; Awareness and Training; Configuration Management; Contingency Planning; Identification and Authentication; Incident Response; Maintenance; Media Protection; Personnel Security; Physical and Environmental Protection; Planning; Program Management; Risk Assessment; Assessment, Authorization and Monitoring; System and Communications Protection; System and Information Integrity; System and Services Acquisition


SP 800-160 Vol. 1 (DOI)
Local Download

Supplemental Material:
Appendix D Supplement (xls)
Systems Security Engineering (SSE) Project (web)
"Rethinking Cybersecurity from the Inside Out" (blog post) (other)

Other Parts of this Publication:
SP 800-160 Vol. 2

Document History:
03/21/18: SP 800-160 Vol. 1 (Final)


Security and Privacy
planning; risk assessment; trustworthiness

Laws and Regulations
E-Government Act