Governance & Risk Management , Next-Generation Technologies & Secure Development

New NIST Guidance Takes Engineering Approach to InfoSec

Adopting a Multidisciplinary Approach to Challenges Presented by Internet of Things
New NIST Guidance Takes Engineering Approach to InfoSec

The National Institute of Standards and Technology has issued long-awaited guidance on how to approach IT security as an engineering discipline.

See Also: Strengthening Defenses with ISO/IEC 27001 Standards: The Frontier of Canadian Cybersecurity

NIST Special Publication 800-160, "Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems," emphasizes a methodical engineering approach to information security as IT grows more complex, dynamic and interconnected, such as through the growth of the internet of things.

"We're all relying on the same commercial products today; we're building systems and the attack surface is growing," the guidance lead author, NIST Fellow Ron Ross, said in an interview earlier this year with Information Security Media Group (see How to Bake Security Into IT From the Start). "And this [guidance] is going to give us the opportunity to take a step back and see how we can actually build security in from the start."

NIST began working on the guidance five years ago. "We've been talking about that forever, but now we do have an approach that actually can work to help us do the things that we've been saying for years," Ross said.

NIST Fellow Ron Ross discusses building resilience into IT systems.

According to its abstract, the guidance addresses the engineering-driven perspective and actions necessary to develop more defensible systems.

The guidance builds on a set of well-established international standards for systems and software engineering, which Ross contends should help win acceptance. The objective is to address stakeholder protection needs and to use established engineering processes to ensure those needs are addressed with fidelity and rigor throughout the life cycle of the system.

No Longer 'Victims'

U.S. CISO Tony Scott said he sees the new guidance as a game-changer in the approach to safeguarding digital assets, The Hill reports. "This will change the national dialogue from one of victims to one of a group of people who can do something about this," Scott said.

Among the objectives of the guidance is to build trustworthy, secure systems.

"Trustability is the capability to ensure that those security mechanisms work in a computer system ... as they're intended by the vendor and by you - via your security policy - and can't be modified or changed to do something they're not allowed to do," security consultant and former CIA CISO Robert Bigman said in an interview with ISMG earlier this year (see Making Information Systems 'Trustable'). "And, if they're changed, you'll see it, as part of the trustability matrix."

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.