U.S. flag   An unofficial archive of your favorite United States government website
Dot gov

Official websites do not use .rip
We are an unofficial archive, replace .rip by .gov in the URL to access the official website. Access our document index here.

Https

We are building a provable archive!
A lock (Dot gov) or https:// don't prove our archive is authentic, only that you securely accessed it. Note that we are working to fix that :)

NIST SP 800-160 Vol. 2 (Initial Public Draft)

Systems Security Engineering: Cyber Resiliency Considerations for the Engineering of Trustworthy Secure Systems

Date Published: March 2018
Comments Due: May 18, 2018 (public comment period is CLOSED)
Email Questions to: sec-cert@nist.gov

Author(s)

Ron Ross (NIST), Richard Graubart (MITRE), Deborah Bodeau (MITRE), Rosalie McQuaid (MITRE)

Announcement

This is the initial public draft of NIST's newest guideline that provides a flexible systems engineering-based framework to help organizations address the Advanced Persistent Threat (APT).  Draft NIST Special Publication 800-160 Volume 2, Systems Security Engineering: Cyber Resiliency Considerations for the Engineering of Trustworthy Secure Systems, is the first in a series of specialty publications developed to support NIST Special Publication 800-160 Volume 1, the flagship Systems Security Engineering guideline. Volume 2 addresses cyber resiliency considerations for two important, yet distinct communities of interest:

  • Organizations conducting new development of IT component products, systems, and services; and
  • Organizations with legacy systems (installed base) currently carrying out day-to-day missions and business functions.

The United States continues to have complete dependence on information technology deployed in critical infrastructure systems and applications in both the public and private sectors. From the electric grid to voting systems to “Internet of Things” consumer products, the nation remains highly vulnerable to sophisticated, well-resourced cyber-attacks from hostile nation-state actors, criminal and terrorist groups, and rogue individuals. Certain types of advanced threats have the capability to breach our critical systems, establish a presence within those systems (often undetected), and inflict immediate and long-term damage to the economic and national security interests of the Nation.

For the Nation to survive and flourish in the 21st century where hostile actors in cyberspace are assumed and information technology will continue to dominate every aspect of our lives, we must develop trustworthy, secure IT components, services, and systems that are cyber resilient. Cyber resilient systems are those systems that have required security safeguards “built in” as a foundational part of the system architecture and design; and moreover, display a high level of resiliency which means the systems can withstand an attack, and continue to operate even in a degraded or debilitated state --carrying out mission-essential functions.

Both communities (the systems engineers and enterprise security and risk management professionals) can apply the guidance and cyber resiliency considerations to help ensure that the component products, systems, and services that they need, plan to provide, or have already deployed, can survive when confronted by the APT. The guidance can also be used to guide and inform any investment decisions regarding cyber resiliency.

Abstract

Keywords

cyber resiliency engineering framework; cyber resiliency goals; cyber resiliency objectives; risk management strategy; system life cycle; systems security engineering; trustworthy; controls; cyber resiliency; cyber resiliency approaches; cyber resiliency design principles; advanced persistent threat
Control Families

None selected

Documentation

Publication:
Draft SP 800-160 Vol. 2 (pdf)

Supplemental Material:
Comment Template (xlsx)
Presentation: "Building Cyber Resilient Systems"

Document History:
03/21/18: SP 800-160 Vol. 2 (Draft)
09/04/19: SP 800-160 Vol. 2 (Draft)
11/27/19: SP 800-160 Vol. 2 (Final)

Topics

Security and Privacy

risk assessment, systems security engineering, threats