At the Splunk GovSummit in Washington D.C., The National Institute of Standards and Technology (NIST) unveiled its Systems Security Engineering guidelines (NIST SP 800-160) – A set of detailed guidelines to help security engineering and other engineering professionals better protect Internet-connected devices.
The NIST guidelines are the product of four years of research and development. They have been available in draft form since 2014, although the document has only just been finalized. The guidelines were initially scheduled to be released in December, although NIST took the decision to bring forward the release date and published the finished document a month early.
According to NIST, “the need for trustworthy secure systems has never been more important to the long-term economic and national security interests of the United States.”
Currently, Internet-connected devices are coming to market without adequate security controls. Only when hackers succeed in compromising those devices do the risks become abundantly clear.
Improving device security is a complex task that cannot simply involve bolting on additional protections as an afterthought. Security needs to be considered when developing products and must be factored in to all stages of the product lifecycle. That is a complex task, hence the need for detailed guidance.
As NIST explains, “Increasing the trustworthiness of systems is a significant undertaking that requires a substantial investment in the requirements, architecture, design, and development of systems, components, applications, and networks.”
The guidelines apply not only to systems, but also the components that make up those systems and the services which depend on those systems. The 242-page document details 30 separate processes covering the entire life cycle of products from the initial planning stages through to disposal along with the actions that must be taken to ensure more defensible and survivable systems are developed.
NIST used International Standards for systems and software engineering as a base, and built on those standards by including a range of systems security engineering methods, practices, and techniques. The new guidelines use a security engineering approach to prevent penetration and limit damage if systems are breached.
NIST fellow, Ron Ross Ross says, “The ultimate objective is to obtain trustworthy secure systems that are fully capable of supporting critical missions and business operations while protecting stakeholder assets, and to do so with a level of assurance that is consistent with the risk tolerance of those stakeholders.”
According to U.S. Chief Information Officer Tony Scott, who joined Ross at the Summit announcing the release of the guidelines, the document “will change the national dialogue from one of victims to one of a group of people who can do something about this.”