NIST SP 800-160 provides guidance on engineering trustworthy secure systems and developing cyber-resilient systems. This National Institute of Standards and Technology (NIST) publication focuses on integrating security into engineering processes throughout the product’s life cycle. It aims to foster a common mindset for delivering security across various system types and complexities.
Engineering Secure Systems
It is essential to define the security requirements of a product based on business and stakeholder concerns. Having defined those requirements, engineering driven solutions must be found for the selection of architectures, tools, implementation, and sustainment of the product throughout its life cycle. This requires a system engineering approach to integrate expertise across multiple engineering and specialty disciplines.
Systems security engineering considerations should include both systems and software engineering in designing secure products. Engineering of trustworthy secure products requires establishing the required trustworthiness of each contributor to risk through evidence-based assurance.
Systems Security Engineering Framework
The system security engineering framework defined in NIST SP 800-160 is a set of interacting processes. Each process has its own checks and balances to address security perspectives across all system life cycle stages. The key components of the framework are:
- Problem: Here security objectives and requirements are defined. Success measures are defined and life cycle security concepts are defined. Additionally, evidence is produced for security aspects of the problem.
- Solution: In this cycle, security aspects are defined and realized.
- Trustworthiness: Here the assurance case is developed and demonstrated.
This process is cyclic, leading to more refined architectures and solutions. In the problem phase stakeholder concerns, operational capabilities and performance requirements are determined. In the solution phase security aspects include the development of system protection strategies. Evidence of effectiveness is obtained through analysis, testing, and demonstration. In the trustworthiness context, an assurance case is made through well-defined and structured set of arguments and a body of evidence.
The Life Cycle Security Model
The life cycle represents the evolution of a product form development, prototyping, testing, manufacture, operations, sustainment and retirement. Consideration for safety concerns should be addressed at each stage to identify security risks to operation, data, and user safety. Through this approach in the engineering process intended behaviors are identified, indicators of proper operation are identified, and potential non-specified conditions are identified. Then solutions are sought to minimize risks and mitigate undesired conditions.
Conclusions
NIST 800-160 is not a cybersecurity standard. Instead, it provides a systems engineering approach that integrates risk management processes. It is written at a high level to address the concerns of a large variety of product development types. It’s use of a life cycle approach allows for definition of manufacturing, support, and maintenance activities early in the specification phase. It also addresses multi-discipline contributions to product development to address secure architectures. These concepts and processes allow for systems security engineering trustworthiness throughout the supply chain.
CVG Strategy Cybersecurity Consultants
CVG Strategy can provide guidance and help your organization understand and implement contractually required NIST standards and CMMC. We are dedicated to helping small businesses navigate federal regulations and contract requirements for Quality Management, Cybersecurity, Export Compliance, and Test and Evaluation. We can help you meet your information security management system goals. CVG Strategy QMS experts can provide the training required to understand and engage in a ISMS and make it meet desired objectives.
Identify CUI Areas with CVG Strategy Signs
CVG Strategy provides signs to identify areas containing CUI and export controlled items. These signs should be posted at all facility entrances where access controlled or export controlled articles and technology are present.