The United States is heavily dependent on information technology, which is integral to critical networks and applications, in both the public and private sectors. From the electric grid to voting systems to the vast internet of things, America remains “highly vulnerable to sophisticated cyber-attacks from hostile nation-state actors, criminal and terrorist groups, and rogue individuals,” according to the National Institute of Standards and Technology. Technologically advanced adversaries, collectively referred to as the Advanced Persistent Threat (APT), have the capability to breach critical systems, establish an often undetected presence within those systems, and inflict immediate and long-term damage on the economic and national security interests of the United States, NIST said.
For American ingenuity to survive and the economy to flourish, the U.S. must develop trustworthy, secure systems that are cyber-resilient. Cyber-resilient systems, as defined by NIST, are systems that have security measures or safeguards “built in” as a foundational part of their architecture and design, enabling them to withstand cyber-attacks, coding faults, and failures and continue to operate even in a degraded or debilitated state to carry out an organization’s mission-essential functions.
To this end, NIST announced the release of NIST Special Publication (SP) 800-160 Volume 2, Developing Cyber Resilient Systems: A Systems Engineering Approach, which is the first in a series of specialty publications developed to support NIST SP 800-160 Volume 1, the flagship Systems Security Engineering guideline. Volume 2 addresses cyber resiliency considerations for two important yet distinct communities of interest:
- Engineering organizations developing new systems or upgrading legacy systems employing systems life cycle processes and;
- Organizations with existing systems as part of their installed base currently carrying out day-to-day missions and business functions.
SP 800-160 Volume 2 is designed to be used in conjunction with ISO/IEC/IEEE 15288:2015, Systems and software engineering—Systems life cycle processes, NIST Special Publication 800-160, Volume 1, Systems Security Engineering—Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems, and NIST Special Publication 800-37, Risk Management Framework for Information Systems and Organizations—A System Life Cycle Approach for Security and Privacy. NIST said, “it could be viewed as a handbook for achieving the identified cyber resiliency outcomes based on a systems engineering perspective on system life-cycle processes in conjunction with risk management processes, allowing the experience and expertise of the organization to help determine what is correct for its purpose.”
NIST suggested organizations could select, adapt, and use some or all of the cyber-resiliency constructs (i.e., objectives, techniques, approaches, and design principles) described in this publication and apply the constructs to the technical, operational, and threat environments for which systems need to be engineered.
”The system life-cycle processes and cyber-resiliency constructs can be used for new systems, system upgrades, or repurposed systems; can be employed at any stage of the system life cycle; and can take advantage of any system or software development methodology including, for example, waterfall, spiral, or agile,” NIST explained. “The processes and associated cyber-resiliency constructs can also be applied recursively, iteratively, concurrently, sequentially, or in parallel and to any system regardless of its size, complexity, purpose, scope, environment of operation, or special nature.”
The full extent of the application of the content in SP 800-160 Volume 2 is guided and informed by stakeholder protection needs, mission assurance needs, and concerns with cost, schedule, and performance, NIST said. The “tailorable” nature of the engineering activities and tasks and the system life-cycle processes ensure that systems resulting from the application of the security and cyber-resiliency design principles, among others, have the level of trustworthiness deemed sufficient to protect stakeholders from suffering unacceptable losses of their assets and associated consequences, NIST explained.
Trustworthiness is made possible, in part, by the rigorous application of the security and cyber-resiliency design principles, constructs, and concepts within a structured set of systems life-cycle processes that provides the necessary traceability of requirements, transparency, and evidence to support risk-informed decision-making and trades, NIST explained.
Both the public and private sectors can apply the guidance and cyber resiliency considerations offered in SP 800-160 Volume 2 to help ensure that their systems can survive when confronted by an APT.