Date Published: June 7, 2022
Comments Due:
Email Questions to:
Author(s)
Ron Ross (NIST), Mark Winstead (MITRE), Michael McEvilley (MITRE)
Announcement
This final public draft offers significant content and design changes that include a renewed emphasis on the importance of systems engineering and viewing systems security engineering as a critical subdiscipline necessary to achieving trustworthy secure systems. This perspective treats security as an emergent property of a system. It requires a disciplined, rigorous engineering process to deliver the security capabilities necessary to protect stakeholders’ assets from loss while achieving mission and business success.
Bringing security out of its traditional stovepipe and viewing it as an emergent system property helps to ensure that only authorized system behaviors and outcomes occur, much like the engineering processes that address safety, reliability, availability, and maintainability in building spacecraft, airplanes, and bridges. Treating security as a subdiscipline of systems engineering also facilitates making comprehensive trade space decisions as stakeholders continually address cost, schedule, and performance issues, as well as the uncertainties associated with system development efforts.
In particular, this final public draft:
- Provides a renewed focus on the design principles and concepts for engineering trustworthy secure systems, distributing the content across several redesigned initial chapters
- Relocates the detailed system life cycle processes and security considerations to separate appendices for ease of use
- Streamlines the design principles for trustworthy secure systems by eliminating two previous design principle categories
- Includes a new introduction to the system life cycle processes and describes key relationships among those processes
- Clarifies key systems engineering and systems security engineering terminology
- Simplifies the structure of the system life cycle processes, activities, tasks, and references
- Provides additional references to international standards and technical guidance to better support the security aspects of the systems engineering process
NIST is interested in your feedback on the specific changes made to the publication during this update, including the organization and structure of the publication, the presentation of the material, its ease of use, and the applicability of the technical content to current or planned systems engineering initiatives.
NOTE: A call for patent claims is included on page v of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy--Inclusion of Patents in ITL Publications.
This publication provides a basis for establishing a discipline for systems security engineering (SSE) as part of systems engineering and does so in terms of its principles, concepts, activities, and tasks. The publication also demonstrates how those SSE principles, concepts, activities, and tasks can be effectively applied to systems engineering efforts to foster a common mindset to deliver security for any system, regardless of its purpose, type, scope, size, complexity, or stage of its system life cycle. Ultimately, the intent of the material is to advance the field of SSE as a discipline that can be applied and studied and to serve as a basis for the development of educational and training programs, including the development of professional certifications and other assessment criteria.
This publication provides a basis for establishing a discipline for systems security engineering (SSE) as part of systems engineering and does so in terms of its principles, concepts, activities, and tasks. The publication also demonstrates how those SSE principles, concepts, activities, and tasks...
See full abstract
This publication provides a basis for establishing a discipline for systems security engineering (SSE) as part of systems engineering and does so in terms of its principles, concepts, activities, and tasks. The publication also demonstrates how those SSE principles, concepts, activities, and tasks can be effectively applied to systems engineering efforts to foster a common mindset to deliver security for any system, regardless of its purpose, type, scope, size, complexity, or stage of its system life cycle. Ultimately, the intent of the material is to advance the field of SSE as a discipline that can be applied and studied and to serve as a basis for the development of educational and training programs, including the development of professional certifications and other assessment criteria.
Hide full abstract
Keywords
assurance; developmental engineering; engineering trades; field engineering; implementation; information security; information security policy; inspection; integration; penetration testing; protection needs; requirements analysis; resilience; review; risk assessment; risk management; risk treatment; security architecture; security design; security requirements; specifications; stakeholders; system of systems; system component; system element; system life cycle; systems; systems engineering; systems security engineering; trustworthiness; validation; verification
Control Families
None selected
) or https:// don't prove our archive is authentic, only that you securely accessed it. Note that we are working to fix that :)
