Date Published: September 2016
Comments Due:
Email Questions to:
Author(s)
Ron Ross (NIST), Michael McEvilley (MITRE), Janet Oren (PwC)
Announcement
NIST announces the release of the final draft of Special Publication 800-160, Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems.
Engineering-based approaches to solutions are essential to managing the growing complexity, dynamicity, and interconnectedness of today's systems--as exemplified by cyber-physical systems and systems-of-systems, including the Internet of Things. Managing the complexity of today's systems and being able to claim that those systems are trustworthy and secure means that first and foremost, there must be a level of confidence in the feasibility and correctness-in-concept, philosophy, and design, regarding the ability of a system to function securely as intended. Failure to address the complexity issue in this manner will continue to leave the Nation susceptible to the consequences of an increasingly pervasive set of disruptions, hazards, and threats with potential for causing serious, severe, or even catastrophic consequences. NIST Special Publication 800-160 attempts to bring greater clarity to the difficult and challenging problems associated with a systems-oriented viewpoint on realizing trustworthy secure systems--and does so through the considerations set forth in a set of standards-based systems engineering processes applied throughout the system life cycle.
The final public draft of NIST Special Publication 800-160 represents a targeted update to the second public draft published in May 2016. As part of this update, some important long-term design decisions were taken that are reflected in the final draft. To ensure that the publication provides the utmost clarity and focus for our customers, several of the supporting appendices in the second public draft are being recast into their own publication. Special Publication 800-160 will become the flagship publication for the NIST Systems Security Engineering Initiative. The following supporting NIST publications will be developed and published in 2017 and beyond:
- Special Publication 800-160A, Systems Security Engineering: Considerations for System Resilience in the Engineering of Trustworthy Secure Systems;
- Special Publication 800-160B, Systems Security Engineering: Considerations for Software Assurance in the Engineering of Trustworthy Secure Systems; and
- Special Publication 800-160C, Systems Security Engineering: Considerations for Hardware Assurance in the Engineering of Trustworthy Secure Systems.
The interaction of the Risk Management Framework with the life cycle processes in Special Publication 800-160, will be described in future updates to NIST Special Publication 800-37.
In addition to the scoping decisions described above, this update includes:
- The incorporation of changes based on the comments received from the sixty-day public review;
- The inclusion of additional International Standards in the references and related publications section; and
- The inclusion of hyperlinks throughput the document to facilitate customer ease of use and more efficient access to key content.
Special Publication 800-160 will be finalized and published in December 2016.
This publication addresses the engineering-driven actions necessary to develop more defensible and survivable systems—including the components that compose and the services that depend on those systems. It starts with and builds upon a set of well-established International Standards for systems and software engineering published by the International Organization for Standardization (ISO), the International Electrotechnical Commission (IEC), and the Institute of Electrical and Electronics Engineers (IEEE) and infuses systems security engineering techniques, methods, and practices into those systems and software engineering processes. The ultimate objective is to address security issues from a stakeholder requirements and protection needs perspective and to use established engineering processes to ensure that such requirements and needs are addressed with appropriate fidelity and rigor, early and in a sustainable manner throughout the life cycle of the system.
This publication addresses the engineering-driven actions necessary to develop more defensible and survivable systems—including the components that compose and the services that depend on those systems. It starts with and builds upon a set of well-established International Standards for systems and...
See full abstract
This publication addresses the engineering-driven actions necessary to develop more defensible and survivable systems—including the components that compose and the services that depend on those systems. It starts with and builds upon a set of well-established International Standards for systems and software engineering published by the International Organization for Standardization (ISO), the International Electrotechnical Commission (IEC), and the Institute of Electrical and Electronics Engineers (IEEE) and infuses systems security engineering techniques, methods, and practices into those systems and software engineering processes. The ultimate objective is to address security issues from a stakeholder requirements and protection needs perspective and to use established engineering processes to ensure that such requirements and needs are addressed with appropriate fidelity and rigor, early and in a sustainable manner throughout the life cycle of the system.
Hide full abstract
Keywords
developmental engineering; disposal; engineering trades; field engineering; implementation; information security; information security policy; inspection; integration; penetration testing; protection needs; requirements analysis; resiliency; review; risk assessment; risk management; risk treatment; security architecture; security authorization; security design; security requirements; specifications; stakeholder; system-of-systems; system component; system element; system life cycle; systems; systems engineering; systems security engineering; trustworthiness; validation; Assurance; verification
Control Families
Access Control; Audit and Accountability; Awareness and Training; Configuration Management; Contingency Planning; Identification and Authentication; Incident Response; Maintenance; Media Protection; Personnel Security; Physical and Environmental Protection; Planning; Program Management; Risk Assessment; Assessment, Authorization and Monitoring; System and Communications Protection; System and Information Integrity; System and Services Acquisition
) or https:// don't prove our archive is authentic, only that you securely accessed it. Note that we are working to fix that :)
