Date Published: August 2021
Comments Due:
Email Questions to:
Author(s)
Ron Ross (NIST), Victoria Pillitteri (NIST), Richard Graubart (MITRE), Deborah Bodeau (MITRE), Rosalie McQuaid (MITRE)
Announcement
Cyber attacks are a reality. Sometimes even with the best protective measures in place, adversaries can breach perimeter defenses and find their way into systems.
Draft NIST Special Publication (SP) 800-160, Volume 2, Revision 1, Developing Cyber-Resilient Systems: A Systems Security Engineering Approach, turns the traditional perimeter defense strategy on its head and moves organizations toward a cyber resiliency strategy that facilitates defending systems from the inside out instead of from the outside in. This guidance helps organizations anticipate, withstand, recover from, and adapt to adverse conditions, stresses, or compromises on systems – including hostile and increasingly destructive cyber attacks from nation states, criminal gangs, and disgruntled individuals.
This major update to NIST’s flagship cyber resiliency publication offers significant new content and support tools for organizations to defend against cyber attacks, including ever-growing and destructive ransomware attacks. The document provides suggestions on how to limit the damage that adversaries can inflict by impeding their lateral movement, increasing their work factor, and reducing their time on target.
In particular, the draft publication:
- Updates the controls that support cyber resiliency to be consistent with NIST SP 800-53, Revision 5
- Standardizes a single threat taxonomy (i.e., Adversarial Tactics, Techniques, and Common Knowledge [ATT&CK] framework)
- Provides a detailed mapping and analysis of cyber resiliency implementation approaches and supporting NIST SP 800-53 controls to the ATT&CK framework techniques, mitigations, and candidate mitigations
NOTE: A call for patent claims is included on page v of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy--Inclusion of Patents in ITL Publications.
This publication is used in conjunction with ISO/IEC/IEEE 15288:2015, Systems and software engineering – Systems life cycle processes; NIST Special Publication (SP) 800-160, Volume 1, Systems Security Engineering – Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems; and NIST SP 800-37, Risk Management Framework for Information Systems and Organizations – A System Life Cycle Approach for Security and Privacy. It can be viewed as a handbook for achieving the identified cyber resiliency outcomes based on a systems engineering perspective on system life cycle processes in conjunction with risk management processes, allowing the experience and expertise of the organization to help determine what is correct for its purpose. Organizations can select, adapt, and use some or all of the cyber resiliency constructs (i.e., objectives, techniques, approaches, and design principles) described in this publication and apply the constructs to the technical, operational, and threat environments for which systems need to be engineered.
This publication is used in conjunction with ISO/IEC/IEEE 15288:2015, Systems and software engineering – Systems life cycle processes; NIST Special Publication (SP) 800-160, Volume 1, Systems Security Engineering – Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy...
See full abstract
This publication is used in conjunction with ISO/IEC/IEEE 15288:2015, Systems and software engineering – Systems life cycle processes; NIST Special Publication (SP) 800-160, Volume 1, Systems Security Engineering – Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems; and NIST SP 800-37, Risk Management Framework for Information Systems and Organizations – A System Life Cycle Approach for Security and Privacy. It can be viewed as a handbook for achieving the identified cyber resiliency outcomes based on a systems engineering perspective on system life cycle processes in conjunction with risk management processes, allowing the experience and expertise of the organization to help determine what is correct for its purpose. Organizations can select, adapt, and use some or all of the cyber resiliency constructs (i.e., objectives, techniques, approaches, and design principles) described in this publication and apply the constructs to the technical, operational, and threat environments for which systems need to be engineered.
Hide full abstract
Keywords
advanced persistent threat; controls; cyber resiliency; cyber resiliency approaches; cyber resiliency design principles; cyber resiliency engineering framework; cyber resiliency goals; cyber resiliency objectives; cyber resiliency techniques; risk management strategy; system life cycle; systems security engineering; trustworthiness
Control Families
None selected
) or https:// don't prove our archive is authentic, only that you securely accessed it. Note that we are working to fix that :)
