NIST updates guidelines for cybersecurity engineering

NIST updates guidelines for cybersecurity engineering

In a national context of increased cybersecurity risk across all industries, the National Institute of Standards and Technology has updated its guidelines for systems engineers.

Called “Engineering Trustworthy Secure Systems,” the document stems from President Joe Biden’s 2021 executive order to strengthen the federal government’s defenses in the wake of several large-scale attacks on critical infrastructure.

The NIST publication is a resource for computer engineers and other professionals on the programming side of cybersecurity efforts.

“This publication addresses the engineering-driven perspective and actions required to develop more defensible and sustainable systems, including the mechanical, physical and human components that make up those systems and the capabilities and services provided by those systems,” the paper reads.

Spanning over 200 pages, the publication takes a holistic approach to systems engineering. NIST researchers offer an overview of the goals and concepts of modern security systems, primarily with regards to protecting a system’s digital assets.

One of the key updates NIST authors made to the latest version of the publication was a new emphasis on security guarantees. In software systems engineering, the assurance is that the security procedures of a given system are robust enough to mitigate the loss of resources and prevent cyber attacks.

Ron Ross, a NIST colleague and one of the authors of the paper, said Nextgov that system assurances act as a justification that a security system can function effectively.

“Evidence generated during the system lifecycle is essential for creating warranty cases for systems deployed in critical infrastructure,” said Ross. “Insurance cases can transform security into something concrete, measurable and shareable. Building and providing guarantees is the way to guide the culture of safety “.

The latest draft of “Engineering Trustworthy Secure Systems” also examines the fundamentals of how to build a reliable secure design that relies on proactive elimination or mitigation of vulnerabilities. It also collects the various leak control design principles into one section and outlines how each works.

“Building reliable and secure systems cannot happen in a vacuum with insulated stovepipes for cyberspace, software and information technology,” the guidelines observe. “Rather, it requires a holistic approach to protection, broad thinking about all resources where loss could occur, and an understanding of adversity, including how adversaries attack and compromise systems.”

NIST has published similar guidelines in recent years. In 2018, a guide focused on how federal agencies can protect legacy computer systems from cyber attacks. And in August 2021, officials released a broader paper on cyber-resilient systems for public and private sector organizations.

Leave a Comment

Your email address will not be published.