The National Institutes of Standards and Technology (NIST) has finalized new guidance to provide engineers across government and private enterprises with essential design principles for engineering trustworthy secure systems.
The guidance – which took NIST at least five months to develop – lays out specific definitions for cybersecurity leaders to follow as they implement strategies to protect their organizations. It provides a basis for establishing a discipline for systems security engineering (SSE) as part of systems engineering, and does so by focusing on principles, concepts, activities, and tasks.
“The publication also demonstrates how those SSE principles, concepts, activities, and tasks can be effectively applied to systems engineering efforts to foster a common mindset to deliver security for any system, regardless of its purpose, type, scope, size, complexity, or stage of its system life cycle,” the guidance says.
In particular, the final public draft:
- Provides a renewed focus on the design principles and concepts for engineering trustworthy secure systems, distributing the content across several redesigned initial chapters;
- Relocates the detailed system life cycle processes and security considerations to separate appendices for ease of use;
- Streamlines the design principles for trustworthy secure systems by eliminating two previous design principle categories;
- Includes a new introduction to the system life cycle processes and describes key relationships among those processes;
- Clarifies key systems engineering and systems security engineering terminology;
- Simplifies the structure of the system life cycle processes, activities, tasks, and references; and
- Provides additional references to international standards and technical guidance to better support the security aspects of the systems engineering process.
The new guidance comes amid calls from Federal agency leaders and private industry for a clear definition of cybersecurity standards.
Michele Iversen, the CIO for cybersecurity at the Defense Department, alerted that NIST’s framework for improving critical infrastructure cybersecurity and the variety of existing and potential standards and guidelines is not always comprehensive enough to cover the broad spectrum of use cases that arise.
Ultimately, the new NIST material intends to advance the field of SSE as a discipline that can be applied and studied and to serve as a basis for the development of educational and training programs, including the development of professional certifications and other assessment criteria.