Date Published: March 2018
Comments Due: May 18, 2018
Email Comments to: email@example.com
Planning Note (3/22/2018):
Please submit comments to firstname.lastname@example.org using the Comment Template by May 18, 2018.
Ron Ross (NIST), Richard Graubart (MITRE), Deborah Bodeau (MITRE), Rosalie McQuaid (MITRE)
This is the initial public draft of NIST's newest guideline that provides a flexible systems engineering-based framework to help organizations address the Advanced Persistent Threat (APT). Draft NIST Special Publication 800-160 Volume 2, Systems Security Engineering: Cyber Resiliency Considerations for the Engineering of Trustworthy Secure Systems, is the first in a series of specialty publications developed to support NIST Special Publication 800-160 Volume 1, the flagship Systems Security Engineering guideline. Volume 2 addresses cyber resiliency considerations for two important, yet distinct communities of interest:
- Organizations conducting new development of IT component products, systems, and services; and
- Organizations with legacy systems (installed base) currently carrying out day-to-day missions and business functions.
The United States continues to have complete dependence on information technology deployed in critical infrastructure systems and applications in both the public and private sectors. From the electric grid to voting systems to “Internet of Things” consumer products, the nation remains highly vulnerable to sophisticated, well-resourced cyber-attacks from hostile nation-state actors, criminal and terrorist groups, and rogue individuals. Certain types of advanced threats have the capability to breach our critical systems, establish a presence within those systems (often undetected), and inflict immediate and long-term damage to the economic and national security interests of the Nation.
For the Nation to survive and flourish in the 21st century where hostile actors in cyberspace are assumed and information technology will continue to dominate every aspect of our lives, we must develop trustworthy, secure IT components, services, and systems that are cyber resilient. Cyber resilient systems are those systems that have required security safeguards “built in” as a foundational part of the system architecture and design; and moreover, display a high level of resiliency which means the systems can withstand an attack, and continue to operate even in a degraded or debilitated state --carrying out mission-essential functions.
Both communities (the systems engineers and enterprise security and risk management professionals) can apply the guidance and cyber resiliency considerations to help ensure that the component products, systems, and services that they need, plan to provide, or have already deployed, can survive when confronted by the APT. The guidance can also be used to guide and inform any investment decisions regarding cyber resiliency.
Keywords cyber resiliency; cyber resiliency approaches; cyber resiliency design principles; cyber resiliency engineering framework; cyber resiliency goals; cyber resiliency objectives; risk management strategy; system life cycle; systems security engineering; trustworthy; controls; advanced persistent threat