NIST Releases Revised Guidance on Engineering Trustworthy Secure Systems

NIST has released a major revision to Special
Publication (SP) 800-160 Volume 1, 
Trustworthy Secure Systems
. This final
publication offers significant content and design changes that include a
renewed emphasis on the importance of systems engineering and viewing systems
security engineering as a critical subdiscipline necessary to achieving
trustworthy secure systems. This perspective treats security as an emergent
property of a system. It requires a disciplined, rigorous engineering process
to deliver the security capabilities necessary to protect stakeholders’ assets
from loss while achieving mission and business success.

Bringing security out of its traditional stovepipe and viewing it
as an emergent system property helps to ensure that only authorized system
behaviors and outcomes occur, much like the engineering processes that address
safety, reliability, availability, and maintainability in building spacecraft,
airplanes, and bridges. Treating security as a subdiscipline of systems
engineering facilitates comprehensive trade space decision-making as
stakeholders continually address cost, schedule, and performance issues, as
well as the uncertainties associated with system development efforts.

In particular, the final publication:

  • Provides a renewed focus on the
    design principles and concepts for engineering trustworthy secure systems,
    distributing the content across several redesigned initial chapters
  • Relocates the detailed system
    life cycle processes and security considerations to separate appendices
    for ease of use
  • Streamlines the design
    principles for trustworthy secure systems by eliminating two previous
    design principle categories
  • Includes a new introduction to
    the system life cycle processes and describes key relationships among
    those processes
  • Clarifies key systems
    engineering and systems security engineering terminology
  • Simplifies the structure of the
    system life cycle processes, activities, tasks, and references
  • Provides additional references
    to international standards and technical guidance to better support the
    security aspects of the systems engineering process