The NIST recommendations revolve around a four-stage development process involving technical and nontechnical processes. The guidelines incorporate widely used international standards for systems, software, and security engineering published by the International Organization for Standardization (ISO), the International Electrotechnical Commission (IEC), and the Institute of Electrical and Electronic Engineers (IEEE).
The 120-page draft document, released May 13, addresses 11 core systems engineering processes used in developing IT systems and software and recommends specific security enhancements for each process. The recommendations look at system security at every stage of the system life cycle, including concept, development, production, operation and support, and retirement.
"These processes, if properly carried out, result in stronger, more penetration-resistant and resilient systems and a measurable level of assurance and trustworthiness to more effectively manage mission/business risk," NIST said in the report, which was co-authored by information assurance experts from NIST, the National Security Agency, and the Mitre Corp.
The engineering-driven guidelines could be applied to systems design in both the public and private sectors -- and to upgrades to fielded systems, not just new systems. According to NIST, they're suitable for "small and large systems, and for many different types of applications, including general-purpose financial systems, defense systems and the industrial control systems used in power plants and manufacturing."
"We need to have the same confidence in the trustworthiness of our IT products and systems that we have in the bridges we drive across or the airplanes we fly in," Ron Ross, NIST fellow and the publication's co-author, said in a press release.
Summary of technical and nontechnical processes that could incorporate stronger IT security engineering disciplines, from NIST publication 800-160.
Later drafts will include material on principles of security, trustworthiness, and system resilience, as well as use case scenarios and nontechnical processes like risk management. NIST plans to release a final version of the guidelines by December. In the meantime, the agency is seeking public comments on the current draft until July 11 and expects to release its final recommendations by the end of this year.
In a separate effort this year, NIST released voluntary cybersecurity guidelines for critical-infrastructure operators. The Framework for Improving Critical Infrastructure Cybersecurity, which was developed at the White House's direction, gives executives in 16 industries -- such as communications, defense, energy, financial services, and transportation -- a way to assess and improve their organization's cybersecurity posture.
Though the framework has been criticized for not telling critical-infrastructure operators what to do or which tools to use, many see it as an important step toward improving the security of privately owned facilities.
Find out how a government program is putting cloud computing on the fast track to better security. Also in the Cloud Security issue of InformationWeek Government: Defense CIO Teri Takai on why FedRAMP helps everyone.
Elena Malykhina began her career at The Wall Street Journal, and her writing has appeared in various news media outlets, including Scientific American, Newsday, and the Associated Press. For several years, she was the online editor at Brandweek and later Adweek, where she ... View Full Bio
Security Job #1 For FedsThe 2014 InformationWeek Government IT Priorities Survey shows federal IT pros care about security - itís rated as very important by 69% of respondents, 30 percentage points ahead of the No. 2 priority, disaster recovery. Will the upcoming NIST cyber-security framework help manage risk?
InformationWeek Must Reads Oct. 21, 2014InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.