Date Published: January 11, 2022
Comments Due:
Email Questions to:
Author(s)
Ron Ross (NIST), Michael McEvilley (MITRE), Mark Winstead (MITRE)
Announcement
NIST is releasing the draft of a major revision to Special Publication (SP) 800-160 Volume 1, Engineering Trustworthy Secure Systems. This publication is intended to serve as a reference and educational resource for engineers and engineering specialties, architects, designers, and personnel involved in the development of trustworthy secure systems and system components. The guidance can be applied selectively by organizations, individuals, or engineering teams to improve the security and trustworthiness of systems and system components.
In particular, Draft SP 800-160 Volume 1, Revision 1 focuses on the following strategic objectives, which drove the majority of changes to the publication:
- More strongly positioning Systems Security Engineering (SSE) as a sub-discipline of Systems Engineering (SE)
- Emphasizing that the responsibility for engineering trustworthy secure systems is not limited to security specialties and that the achievement of security outcomes must properly align with SE outcomes
- Aligning SSE practices with safety practices and other disciplines that deal with the loss of assets and the consequences of asset loss
- Focusing on the assurance of the correctness and effectiveness of the system’s security capability to achieve authorized and intended behaviors and outcomes and control adverse effects and loss
- More closely aligning systems security engineering work to international standards
NIST is interested in your feedback on the specific changes made to the publication during this update, including the organization and structure of the publication, the presentation of the material, its ease of use, and the applicability of the technical content to current or planned systems engineering initiatives.
We encourage you to submit comments using the comment template provided.
NOTE: A call for patent claims is included on page vi of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy--Inclusion of Patents in ITL Publications.
With the continuing frequency, intensity, and adverse consequences of cyber-attacks, disruptions, hazards, and other threats to federal, state, and local governments, as well as private sector organizations, the need for trustworthy secure systems has never been more important to the long-term economic and national security interests of the United States. Engineering-based solutions are essential to managing the complexity, dynamicity, and interconnectedness of today’s systems, as exemplified by cyber-physical systems and systems-of-systems. This publication addresses the engineering-driven perspective and actions necessary to develop more defensible and survivable systems, inclusive of the machine, physical, and human components that compose those systems and the capabilities and services delivered by those systems. This publication starts with and builds upon established international standards for systems and software engineering by the International Organization for Standardization (ISO), the International Electrotechnical Commission (IEC), and the Institute of Electrical and Electronics Engineers (IEEE) and infuses systems security engineering methods, practices, and techniques into those systems and software engineering activities. The objective is to address security issues from a stakeholder protection needs, concerns, and requirements perspective and to use established engineering processes to help ensure that such needs, concerns, and requirements are addressed with appropriate fidelity and rigor throughout the system life cycle.
With the continuing frequency, intensity, and adverse consequences of cyber-attacks, disruptions, hazards, and other threats to federal, state, and local governments, as well as private sector organizations, the need for trustworthy secure systems has never been more important to the long-term...
See full abstract
With the continuing frequency, intensity, and adverse consequences of cyber-attacks, disruptions, hazards, and other threats to federal, state, and local governments, as well as private sector organizations, the need for trustworthy secure systems has never been more important to the long-term economic and national security interests of the United States. Engineering-based solutions are essential to managing the complexity, dynamicity, and interconnectedness of today’s systems, as exemplified by cyber-physical systems and systems-of-systems. This publication addresses the engineering-driven perspective and actions necessary to develop more defensible and survivable systems, inclusive of the machine, physical, and human components that compose those systems and the capabilities and services delivered by those systems. This publication starts with and builds upon established international standards for systems and software engineering by the International Organization for Standardization (ISO), the International Electrotechnical Commission (IEC), and the Institute of Electrical and Electronics Engineers (IEEE) and infuses systems security engineering methods, practices, and techniques into those systems and software engineering activities. The objective is to address security issues from a stakeholder protection needs, concerns, and requirements perspective and to use established engineering processes to help ensure that such needs, concerns, and requirements are addressed with appropriate fidelity and rigor throughout the system life cycle.
Hide full abstract
Keywords
assurance; developmental engineering; disposal; engineering trades; field engineering; implementation; information security; information security policy; inspection; integration; penetration testing; protection needs; requirements analysis; resilience; review; risk assessment; risk management; risk treatment; security architecture; security authorization; security design; security requirements; specifications; stakeholder; system of systems; system component; system element; system life cycle; systems; systems engineering; systems security engineering; trustworthiness; validation; verification
Control Families
None selected