NIST Cyber-Resilient Systems: Draft SP 800-160 Volume 2 Revision 1 is Available for Comment

 Cyber
attacks are a reality. Sometimes even with the best protective measures in
place, adversaries can breach perimeter defenses and find their way into systems.

Draft
NIST Special Publication (SP) 800-160, Volume 2, Revision 1, Developing
Cyber-Resilient Systems: A Systems Security Engineering Approach
,
turns the traditional perimeter defense strategy on its head and moves
organizations toward a cyber resiliency strategy that facilitates defending
systems from the inside out instead of from the outside in. This guidance helps
organizations anticipate, withstand, recover from, and adapt to adverse
conditions, stresses, or compromises on systems – including hostile and
increasingly destructive cyber attacks from nation states, criminal gangs, and
disgruntled individuals.

This
major update to NIST’s flagship cyber resiliency publication offers significant
new content and support tools for organizations to defend against cyber
attacks, including ever-growing and destructive ransomware attacks. The
document provides suggestions on how to limit the damage that adversaries can
inflict by impeding their lateral movement, increasing their work factor, and
reducing their time on target.

In
particular, the draft publication:

  • Updates the controls that
    support cyber resiliency to be consistent with NIST SP 800-53,
    Revision 5
  • Standardizes a single threat
    taxonomy (i.e., Adversarial Tactics, Techniques, and Common Knowledge
    [ATT&CK] framework)
  • Provides a detailed mapping and
    analysis of cyber resiliency implementation approaches and
    supporting NIST SP 800-53 controls to
    the ATT&CK framework techniques, mitigations, and
    candidate mitigations

The public comment period is open through September 20, 2021. See the publication
details
for a copy of the draft and instructions for submitting
comments.

NOTE:
A call for patent claims is included on page v of this
draft.  For additional information, see the Information
Technology Laboratory (ITL) Patent Policy–Inclusion of Patents in ITL
Publications
.

Publication
details:
https://csrc.nist.gov/publications/detail/sp/800-160/vol-2-rev-1/draft

ITL
Patent Policy:
https://www.nist.gov/itl/information-technology-laboratory-itl-patent-policy-inclusion-patents-itl-publications