NIST Proposes Guidelines For More Secure IT Systems

Recommendations infuse security practices into cradle-to-grave IT and software engineering processes for both private and public-sector IT systems.
5 Online Tools Uncle Sam Wants You To Use
5 Online Tools Uncle Sam Wants You To Use
(Click image for larger view and slideshow.)

The National Institute of Standards and Technology has released an initial public draft of security guidelines for developing "more defensible and survivable" IT systems. The publication, Systems Security Engineering: An Integrated Approach to Building Trustworthy Resilient Systems, aims to establish processes that build security into IT systems from the ground up.

The NIST recommendations revolve around a four-stage development process involving technical and nontechnical processes. The guidelines incorporate widely used international standards for systems, software, and security engineering published by the International Organization for Standardization (ISO), the International Electrotechnical Commission (IEC), and the Institute of Electrical and Electronic Engineers (IEEE).

The 120-page draft document, released May 13, addresses 11 core systems engineering processes used in developing IT systems and software and recommends specific security enhancements for each process. The recommendations look at system security at every stage of the system life cycle, including concept, development, production, operation and support, and retirement.

[Another NIST guideline, capturing best IT security practices, is getting a close look by private-sector execs. Read Protecting Critical Infrastructure: A New Approach.]

"These processes, if properly carried out, result in stronger, more penetration-resistant and resilient systems and a measurable level of assurance and trustworthiness to more effectively manage mission/business risk," NIST said in the report, which was co-authored by information assurance experts from NIST, the National Security Agency, and the Mitre Corp.

The engineering-driven guidelines could be applied to systems design in both the public and private sectors -- and to upgrades to fielded systems, not just new systems. According to NIST, they're suitable for "small and large systems, and for many different types of applications, including general-purpose financial systems, defense systems and the industrial control systems used in power plants and manufacturing."

"We need to have the same confidence in the trustworthiness of our IT products and systems that we have in the bridges we drive across or the airplanes we fly in," Ron Ross, NIST fellow and the publication's co-author, said in a press release.

Later drafts will include material on principles of security, trustworthiness, and system resilience, as well as use case scenarios and nontechnical processes like risk management. NIST plans to release a final version of the guidelines by December. In the meantime, the agency is seeking public comments on the current draft until July 11 and expects to release its final recommendations by the end of this year.

In a separate effort this year, NIST released voluntary cybersecurity guidelines for critical-infrastructure operators. The Framework for Improving Critical Infrastructure Cybersecurity, which was developed at the White House's direction, gives executives in 16 industries -- such as communications, defense, energy, financial services, and transportation -- a way to assess and improve their organization's cybersecurity posture.

Though the framework has been criticized for not telling critical-infrastructure operators what to do or which tools to use, many see it as an important step toward improving the security of privately owned facilities.

Find out how a government program is putting cloud computing on the fast track to better security. Also in the Cloud Security issue of InformationWeek Government: Defense CIO Teri Takai on why FedRAMP helps everyone.