NIST Sets SSE Framework in Final SP 800-160 Guidance
The National Institute of Standards and Technology (NIST) published a final version of updated standards for systems security engineering (SSE) with significant content and design changes, including a renewed emphasis on the importance of systems engineering.
The final public draft puts a renewed focus on the design principles and concepts for engineering trustworthy secure systems, distributing the content across several redesigned initial chapters.
The document also clarifies key systems engineering and systems security engineering terminology and simplifies the structure of the system life cycle processes, activities, tasks and references.
Advancing SSE
The intent behind the material is to advance the field of SSE as a discipline that can be applied and studied and to serve as a basis for the development of educational and training programs, including the development of professional certifications and other assessment criteria.
“This perspective treats security as an emergent property of a system,” the guidance read. “It requires a disciplined, rigorous engineering process to deliver the security capabilities necessary to protect stakeholders’ assets from loss while achieving mission and business success.”
Darryl MacLeod, vCISO at LARES Consulting, an information security consulting firm, explained that clearer definitions of cybersecurity standards help organizations better understand their obligations in relation to cybersecurity.
“It can help ensure that everyone within an organization is working towards the same goal, and help identify potential areas of improvement,” he said. “Clarity around standards can also help with communicating cybersecurity risks to external stakeholders.”
Overall, a clearer definition of cybersecurity standards can help improve an organization’s cybersecurity posture and make it better prepared to defend against attacks.
The NIST revisions place a renewed emphasis on SSE, which MacLeod noted is important because it helps ensure that systems continue to be designed and built with security in mind.
“By taking a proactive approach to security, organizations can avoid many of the costly reactive measures that are often required after a system has been breached,” he said.
Furthermore, by considering security early in the development process, organizations can save time and money in the long run by avoiding potential security vulnerabilities.
“Systems security engineering can help to create a more secure overall computing environment, which benefits everyone,” MacLeod explained.
In addition, NIST’s recommended streamlined design principles can help reduce the complexity of systems, making them easier to understand and manage. These principles can also help ensure that systems are designed and built in a way that takes security into consideration from inception.
“Doing this can help prevent vulnerabilities from being introduced in the first place and can make it easier to spot and fix them if they do occur,” MacLeod said.
From his perspective, by including guidance on digital asset management in its cybersecurity framework, NIST is helping organizations ensure that their digital assets are properly managed and protected.
“Having a clear and up-to-date inventory of digital assets with corresponding values can help organizations more easily identify which assets are impacted by an incident and take steps to mitigate the damage,” he said. “This allows organizations to focus on what can happen, and not what’s likely to happen when it comes to digital asset-based protection.”
As part of the revised document, NIST has also included additional references to international standards and technical guidance to better support the security aspects of the systems engineering process.
“Bringing security out of its traditional stovepipe and viewing it as an emergent system property helps to ensure that only authorized behaviors and outcomes occur,” the report noted. “Treating security as a subdiscipline of systems engineering also facilitates making comprehensive trade space decisions as stakeholders continually address cost, schedule and performance issues and the uncertainties associated with system development efforts.”
Supporting the Executive Order
Karen Laughton, vice president of compliance advisory at Coalfire, a provider of cybersecurity advisory and assessment services, pointed out the guidance supports the Executive Order on Improving the Nation’s Cybersecurity issued by President Biden in May 2021.
“It also represents a continued culture shift where security is woven into the fabric of all engineering design principles rather than seen as just a ‘nice-to-have,’” she said.
Laughton pointed out the new guidance further supports the federal strategy of moving to zero-trust architecture.
“This provides both public and private sector systems with the best practices they should consider as part of their overall design strategy,” she said.
