The goal of the NIST Systems Security Engineering initiative is to address security, safety, and resiliency issues from a stakeholder requirements and protection needs perspective, using established engineering processes to ensure that those requirements and needs are addressed across the entire system life cycle to develop more trustworthy systems. To that end, Draft NIST Special Publication (SP) 800-160 Volume 2, Developing Cyber Resilient Systems: A Systems Security Engineering Approach, focuses on cyber resiliency engineering, an emerging specialty systems engineering discipline, applied in conjunction with resilience engineering and systems security engineering to develop more survivable, trustworthy systems. Cyber resiliency engineering aims to design, architect, and develop systems with the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises that use or are enabled by cyber resources.
This Final Public Draft of NIST SP 800-160 Vol. 2 presents the cyber resiliency engineering framework (conceptual framework) for understanding and applying cyber resiliency, a concept of use for the conceptual framework, and specific engineering considerations for implementing cyber resiliency in the system life cycle. Building off the conceptual framework, this publication also identifies considerations for determining which cyber resiliency constructs are most relevant to a system-of-interest and a tailorable cyber resiliency analysis process to apply the selected cyber resiliency concepts, constructs, and practices to a system. The cyber resiliency analysis is intended to determine whether the cyber resiliency properties and behaviors of a system-of-interest, wherever it is in the life cycle, are sufficient for the organization using that system to meet its mission assurance, business continuity, or other security requirements—in a threat environment that includes the advanced persistent threat (APT).
The conceptual framework is supplemented by several technical appendices that provide additional information to support its application, including:
NOTE: A call for patent claims is included on page vi of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy--Inclusion of Patents in ITL Publications.
Security and Privacy: risk assessment, systems security engineering, threats