U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.


Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST SP 800-160 Vol. 2 (Initial Public Draft)

Systems Security Engineering: Cyber Resiliency Considerations for the Engineering of Trustworthy Secure Systems

Date Published: March 2018
Comments Due: May 18, 2018 (public comment period is CLOSED)
Email Questions to: sec-cert@nist.gov


Ron Ross (NIST), Richard Graubart (MITRE), Deborah Bodeau (MITRE), Rosalie McQuaid (MITRE)


This is the initial public draft of NIST's newest guideline that provides a flexible systems engineering-based framework to help organizations address the Advanced Persistent Threat (APT).  Draft NIST Special Publication 800-160 Volume 2, Systems Security Engineering: Cyber Resiliency Considerations for the Engineering of Trustworthy Secure Systems, is the first in a series of specialty publications developed to support NIST Special Publication 800-160 Volume 1, the flagship Systems Security Engineering guideline. Volume 2 addresses cyber resiliency considerations for two important, yet distinct communities of interest:

  • Organizations conducting new development of IT component products, systems, and services; and
  • Organizations with legacy systems (installed base) currently carrying out day-to-day missions and business functions.

The United States continues to have complete dependence on information technology deployed in critical infrastructure systems and applications in both the public and private sectors. From the electric grid to voting systems to “Internet of Things” consumer products, the nation remains highly vulnerable to sophisticated, well-resourced cyber-attacks from hostile nation-state actors, criminal and terrorist groups, and rogue individuals. Certain types of advanced threats have the capability to breach our critical systems, establish a presence within those systems (often undetected), and inflict immediate and long-term damage to the economic and national security interests of the Nation.

For the Nation to survive and flourish in the 21st century where hostile actors in cyberspace are assumed and information technology will continue to dominate every aspect of our lives, we must develop trustworthy, secure IT components, services, and systems that are cyber resilient. Cyber resilient systems are those systems that have required security safeguards “built in” as a foundational part of the system architecture and design; and moreover, display a high level of resiliency which means the systems can withstand an attack, and continue to operate even in a degraded or debilitated state --carrying out mission-essential functions.

Both communities (the systems engineers and enterprise security and risk management professionals) can apply the guidance and cyber resiliency considerations to help ensure that the component products, systems, and services that they need, plan to provide, or have already deployed, can survive when confronted by the APT. The guidance can also be used to guide and inform any investment decisions regarding cyber resiliency.



cyber resiliency engineering framework; cyber resiliency goals; cyber resiliency objectives; risk management strategy; system life cycle; systems security engineering; trustworthy; controls; cyber resiliency; cyber resiliency approaches; cyber resiliency design principles; advanced persistent threat
Control Families

None selected


Draft SP 800-160 Vol. 2 (pdf)

Supplemental Material:
Comment Template (xlsx)
Presentation: "Building Cyber Resilient Systems"

Document History:
03/21/18: SP 800-160 Vol. 2 (Draft)
09/04/19: SP 800-160 Vol. 2 (Draft)
11/27/19: SP 800-160 Vol. 2 (Final)


Security and Privacy

risk assessment, systems security engineering, threats