Following on the heels of the National Institute of Standards and Technology‘s (“NIST”) release of the Framework for Improving Critical Infrastructure Cybersecurity (a/k/a the “Cybersecurity Framework” – see our coverage here and here), NIST unveiled yesterday a 123-page initial draft for public comment of Special Publication 800-160, Systems Security Engineering: An Integrated Approach to Building Trustworthy Resilient Systems.
Designed as a “new initiative” NIST “seeks to bring widely recognized systems and software engineering principles to bear on the problem of information system security.”
Putting aside the mouthful of a title, the goal for SP 800-160, according to NIST, is to:
“Help establish processes that build security into IT systems from the beginning using sound design principles, rather than trying to tack it on at the end.”
We heartily applaud this effort and will be detailing legal requirements and best practices likely to stem from such an approach in future posts.
We’re dubbing NIST’s latest initiative “Security by Design” for its parallel to the foundational motivation behind Privacy by Design – which has long been promoted on the data privacy side of the equation, mostly recently by the FTC in its 2012 Privacy framework.
The guidelines in SP 800-160 represents the start of a two-year interagency initiative to “define systems security engineering processes that are tightly coupled to and fully integrated into well-established, international standards-based systems and software engineering processes” and, for the moment, consists of a four-phase development timetable NIST says will culminate in the publication of the final systems security engineering guideline at the end of 2014.
A Four Phase Roadmap – Technical Processes, Supporting Documentation, Non-technical Processes & Overall Alignment
As part of its request for public comment (due by July 11, 2014, with any public comments to be sent to firstname.lastname@example.org) SP 800-160 is broken into a four phase roadmap designed to ultimately result in a “map” for defensible information security infrastructure engineering supplemented by NIST’s typical long add-on of Appendices. NIST describes the four phases, with target timeframes for each, as:
- Phase 1: Development of the systems security engineering technical processes based on the technical systems and software engineering processes defined in ISO/IEC/IEEE 15288:2008;
- Phase 2: Development of the remaining supporting appendices (Summer 2014);
- Phase 3: Development of the systems security engineering nontechnical processes based on the nontechnical systems and software engineering processes (Fall 2014); and
- Phase 4: Alignment of the technical and nontechnical processes based on the updated systems and software engineering processes defined in ISO/IEC/IEEE DIS 15288:201x(E) (Fall or Winter 2014 subject to the final publication schedule of the international standards bodies)
Succeeding at all of the above is an ambitious goal. And a quick review of SP 800-160 highlights the focus is on “processes” – with Chapter Three detailing them all, which chronologically follow a system lifecycle from the “Requirements Analysis Process” to the “Disposal Process.”
Although a highly technical document, NIST is definitely on to something here with SP 800-160. We’ll be following its development over the rest of the year closely and will be detailing the legal regimes and analysis that should accompany any implemented “Security by Design” program that may result.