NIST Issues Guidance on Creating Secure Systems

With an eye to providing guidance on security standards for interconnected devices and the Internet of Things, the National Institute of Standards and Technology (NIST) recently released the finalized version of Special Publication 800–160, Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. The Publication spans 257 pages and establishes the framework for systems security engineering, a discipline that focuses on building security into a system’s lifecycle by implementing safeguards at the development stage for each process incorporated into the system and consistently monitoring and updating the protections to address security concerns through the retirement of the system. To that end, NIST outlines 30 processes that may introduce specific security concerns into a system, including organizational processes like human resources management and technical management processes like quality assurance activities. The Publication then provides guidance on desired security outcomes for each process and what steps an organization may take to achieve such outcomes.

TIP: NIST echoes the FederalTrade Commission’s “Privacy by Design” principle by encouraging organizations to consider the implementation of appropriate security standards throughout the lifecycle of a system. Companies that maintain complex information systems or products may be well-served to review both the NIST and FTC frameworks for guidance on protecting their infrastructure from security threats or disruptions.