The National Institute for Standards and Technology is asking for feedback on the Final Public Draft of NIST Special Publication (SP) 800-160 Volume 2, Developing Cyber Resilient Systems: A Systems Security Engineering Approach.
Draft NIST SP 800-160, Volume 2 outlines the cyber resiliency-engineering framework (conceptual framework) for understanding and applying cyber resiliency, a concept of use for the conceptual framework, and specific engineering considerations for implementing cyber resiliency in the system life cycle, NIST reported in a release.
Building off the conceptual framework, this publication identifies considerations for determining which cyber resiliency constructs are most relevant to a system-of-interest and a tailorable cyber resiliency analysis process to apply the selected cyber resiliency concepts, constructs, and practices to a system. The cyber resiliency analysis is intended to determine whether the cyber resiliency properties and behaviors of a system-of-interest, wherever it is in the life cycle, are sufficient for the organization using that system to meet its mission assurance, business continuity, or other security requirements—in a threat environment that includes the advanced persistent threat (APT).
NIST explained the draft publication is designed for use in combination with NIST SP 800-160 Volume 1, “Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems” and NIST SP 800-37, “Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy.” Application of the principles in the draft, in combination with the system life cycle processes in SP 800-160 Volume 1 and the risk management methodology in SP 800-37, can achieve identified cyber-resiliency outcomes.
The conceptual framework is supplemented by several technical appendices that provide additional information to support its application, including:
- How cyber resiliency concerns can be addressed as part of the life cycle processes in systems security engineering;
- Controls in NIST Special Publication 800-53, Revision 5, which directly support cyber resiliency;
- An approach for adversary-oriented analysis of a system and applications of cyber resiliency, a vocabulary to describe the current or potential effects of a set of mitigations, and a representative cyber-threat coverage analysis for cyber resiliency approaches;
- Cyber resiliency use cases that describe three representative situations (e.g., self-driving car, enterprise IT system, campus microgrid) in which cyber resiliency can be considered; and
- An example of how cyber resiliency could be applied in the critical infrastructure based on publicly available descriptions of the cyber-attacks on the Ukrainian power grid in 2015 and 2016.
“Guided and informed by stakeholder protection needs, mission assurance needs, and stakeholder concerns with cost, schedule, and performance, the cyber resiliency constructs, principles and approach can be applied to critical systems to identify, prioritize, and implement solutions to meet the unique cyber resiliency needs of organizations,” NIST said.
The public comment period closes Nov. 1, 2019. See the publication details for a copy of the document, comment template, and instructions for submitting comments.