Government // Cybersecurity
News
5/14/2014
01:10 PM
Connect Directly
RSS
E-Mail
50%
50%

NIST Proposes Guidelines For More Secure IT Systems

Recommendations infuse security practices into cradle-to-grave IT and software engineering processes for both private and public-sector IT systems.

5 Online Tools Uncle Sam Wants You To Use
5 Online Tools Uncle Sam Wants You To Use
(Click image for larger view and slideshow.)

The National Institute of Standards and Technology has released an initial public draft of security guidelines for developing "more defensible and survivable" IT systems. The publication, Systems Security Engineering: An Integrated Approach to Building Trustworthy Resilient Systems, aims to establish processes that build security into IT systems from the ground up.

The NIST recommendations revolve around a four-stage development process involving technical and nontechnical processes. The guidelines incorporate widely used international standards for systems, software, and security engineering published by the International Organization for Standardization (ISO), the International Electrotechnical Commission (IEC), and the Institute of Electrical and Electronic Engineers (IEEE).

The 120-page draft document, released May 13, addresses 11 core systems engineering processes used in developing IT systems and software and recommends specific security enhancements for each process. The recommendations look at system security at every stage of the system life cycle, including concept, development, production, operation and support, and retirement.

[Another NIST guideline, capturing best IT security practices, is getting a close look by private-sector execs. Read Protecting Critical Infrastructure: A New Approach.]

"These processes, if properly carried out, result in stronger, more penetration-resistant and resilient systems and a measurable level of assurance and trustworthiness to more effectively manage mission/business risk," NIST said in the report, which was co-authored by information assurance experts from NIST, the National Security Agency, and the Mitre Corp.

The engineering-driven guidelines could be applied to systems design in both the public and private sectors -- and to upgrades to fielded systems, not just new systems. According to NIST, they're suitable for "small and large systems, and for many different types of applications, including general-purpose financial systems, defense systems and the industrial control systems used in power plants and manufacturing."

"We need to have the same confidence in the trustworthiness of our IT products and systems that we have in the bridges we drive across or the airplanes we fly in," Ron Ross, NIST fellow and the publication's co-author, said in a press release.

Summary of technical and nontechnical processes that could incorporate stronger IT security engineering disciplines, from NIST publication 800-160.
Summary of technical and nontechnical processes that could incorporate stronger IT security engineering disciplines, from NIST publication 800-160.

Later drafts will include material on principles of security, trustworthiness, and system resilience, as well as use case scenarios and nontechnical processes like risk management. NIST plans to release a final version of the guidelines by December. In the meantime, the agency is seeking public comments on the current draft until July 11 and expects to release its final recommendations by the end of this year.

In a separate effort this year, NIST released voluntary cybersecurity guidelines for critical-infrastructure operators. The Framework for Improving Critical Infrastructure Cybersecurity, which was developed at the White House's direction, gives executives in 16 industries -- such as communications, defense, energy, financial services, and transportation -- a way to assess and improve their organization's cybersecurity posture.

Though the framework has been criticized for not telling critical-infrastructure operators what to do or which tools to use, many see it as an important step toward improving the security of privately owned facilities.

Find out how a government program is putting cloud computing on the fast track to better security. Also in the Cloud Security issue of InformationWeek Government: Defense CIO Teri Takai on why FedRAMP helps everyone.

Elena Malykhina began her career at The Wall Street Journal, and her writing has appeared in various news media outlets, including Scientific American, Newsday, and the Associated Press. For several years, she was the online editor at Brandweek and later Adweek, where she ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
WKash
50%
50%
WKash,
User Rank: Author
5/14/2014 | 11:45:44 PM
Comment period
My initial comment to NIST is  this: Incorporating security disciplines in each of 11 system and software engineering processes sounds like a good move, but what incentives will developers or SysAdmins have in actually using those disciplines, especially when there's so much emphasis on speed to market?

d
Cyber Security Standards for Major Infrastructure
Cyber Security Standards for Major Infrastructure
The Presidential Executive Order from February established a framework and clear set of security standards to be applied across critical infrastructure. Now the real work begins.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest September 24, 2014
Start improving branch office support by tapping public and private cloud resources to boost performance, increase worker productivity, and cut costs.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.