As part of its ongoing cybersecurity efforts, the National Institute for Standards and Technology issued the first update to its flagship systems security engineering guidance document, Special Publication 800-160, Systems Security Engineering — Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems.
This errata update, released on January 3, 2018, contains changes that are both essential and editorial including: the addition of new “call out” boxes to emphasize the importance of applying the security design principles described in the publication to systems that are part of the U.S. critical infrastructure; updated graphics and additional hot links to make the guidance more user-friendly. Also included are minor edits and corrections to the 2016 publication.
Due to the increasing number and intensity of cyber-attacks on critical systems in the U.S, the adverse consequences and long-term debilitating effects on national and economic security continue to be felt by federal agencies, corporations, small businesses, and individuals, according to NIST. While there has been great emphasis on and a significant increase in the use of the NIST Cybersecurity Framework, the NIST Risk Management Framework, and continuous monitoring tools, there has not been as much attention on the important issues of trust technologies and assurance that lead to trustworthy components and systems for consumers, NIST reported. These issues are addressed as part of systems security engineering throughout the entire system life cycle process in the updated guidance. The system design principles and concepts described in NIST SP 800-160 are foundational to achieving the necessary levels of assurance for systems and system components to help ensure governmental mission and business success — and survival in the ever evolving high-tech environment.
NIST is issuing the update to SP 800-160 in advance of publishing a second systems security engineering document in March 2018 that will address cyber resiliency. The cyber resiliency publication will be the first in a series of systems security engineering specialty publications developed to support the SP 800-160 guidance. Other specialty topics for future publications include hardware security and assurance and software security and assurance.
NIST said the objective is to provide consumers and producers of systems and system components with the tools, techniques, and processes to achieve greater transparency and traceability of security requirements — leading to increased levels of trustworthiness in those systems and components. Security will be vital in light of the continuing convergence of cyber and physical systems, the massive growth of Internet of Things (IoT) devices, and the ubiquitous network connectivity that exposes mission-essential systems, critical assets and personal information to easily exploitable vulnerabilities — vulnerabilities that should be addressed during the system life-cycle process that must include a rigorous application and consideration of security design concepts and principles.