NIST Proposes Guidelines For More Secure IT Systems - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Government // Cybersecurity

NIST Proposes Guidelines For More Secure IT Systems

Recommendations infuse security practices into cradle-to-grave IT and software engineering processes for both private and public-sector IT systems.

5 Online Tools Uncle Sam Wants You To Use
5 Online Tools Uncle Sam Wants You To Use
(Click image for larger view and slideshow.)

The National Institute of Standards and Technology has released an initial public draft of security guidelines for developing "more defensible and survivable" IT systems. The publication, Systems Security Engineering: An Integrated Approach to Building Trustworthy Resilient Systems, aims to establish processes that build security into IT systems from the ground up.

The NIST recommendations revolve around a four-stage development process involving technical and nontechnical processes. The guidelines incorporate widely used international standards for systems, software, and security engineering published by the International Organization for Standardization (ISO), the International Electrotechnical Commission (IEC), and the Institute of Electrical and Electronic Engineers (IEEE).

The 120-page draft document, released May 13, addresses 11 core systems engineering processes used in developing IT systems and software and recommends specific security enhancements for each process. The recommendations look at system security at every stage of the system life cycle, including concept, development, production, operation and support, and retirement.

[Another NIST guideline, capturing best IT security practices, is getting a close look by private-sector execs. Read Protecting Critical Infrastructure: A New Approach.]

"These processes, if properly carried out, result in stronger, more penetration-resistant and resilient systems and a measurable level of assurance and trustworthiness to more effectively manage mission/business risk," NIST said in the report, which was co-authored by information assurance experts from NIST, the National Security Agency, and the Mitre Corp.

The engineering-driven guidelines could be applied to systems design in both the public and private sectors -- and to upgrades to fielded systems, not just new systems. According to NIST, they're suitable for "small and large systems, and for many different types of applications, including general-purpose financial systems, defense systems and the industrial control systems used in power plants and manufacturing."

"We need to have the same confidence in the trustworthiness of our IT products and systems that we have in the bridges we drive across or the airplanes we fly in," Ron Ross, NIST fellow and the publication's co-author, said in a press release.

Summary of technical and nontechnical processes that could incorporate stronger IT security engineering disciplines, from NIST publication 800-160.
Summary of technical and nontechnical processes that could incorporate stronger IT security engineering disciplines, from NIST publication 800-160.

Later drafts will include material on principles of security, trustworthiness, and system resilience, as well as use case scenarios and nontechnical processes like risk management. NIST plans to release a final version of the guidelines by December. In the meantime, the agency is seeking public comments on the current draft until July 11 and expects to release its final recommendations by the end of this year.

In a separate effort this year, NIST released voluntary cybersecurity guidelines for critical-infrastructure operators. The Framework for Improving Critical Infrastructure Cybersecurity, which was developed at the White House's direction, gives executives in 16 industries -- such as communications, defense, energy, financial services, and transportation -- a way to assess and improve their organization's cybersecurity posture.

Though the framework has been criticized for not telling critical-infrastructure operators what to do or which tools to use, many see it as an important step toward improving the security of privately owned facilities.

Find out how a government program is putting cloud computing on the fast track to better security. Also in the Cloud Security issue of InformationWeek Government: Defense CIO Teri Takai on why FedRAMP helps everyone.

Elena Malykhina began her career at The Wall Street Journal, and her writing has appeared in various news media outlets, including Scientific American, Newsday, and the Associated Press. For several years, she was the online editor at Brandweek and later Adweek, where she ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
5/14/2014 | 11:45:44 PM
Comment period
My initial comment to NIST is  this: Incorporating security disciplines in each of 11 system and software engineering processes sounds like a good move, but what incentives will developers or SysAdmins have in actually using those disciplines, especially when there's so much emphasis on speed to market?

InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

10 Things Your Artificial Intelligence Initiative Needs to Succeed
Lisa Morgan, Freelance Writer,  4/20/2021
Tech Spending Climbs as Digital Business Initiatives Grow
Jessica Davis, Senior Editor, Enterprise Apps,  4/22/2021
Optimizing the CIO and CFO Relationship
Mary E. Shacklett, Mary E. Shacklett,  4/13/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll