NIST finalizes massive security engineering guide

In the battle for cybersecurity, U.S. government computer scientists want to move the frontline — building security into software the way safety is built into physical infrastructure.

In the battle for cybersecurity, U.S. government computer scientists want to move the frontline — building security into software the way safety is built into physical infrastructure.

“When you cross a bridge or you fly an airplane, you have confidence that airplane will fly and that bridge is going to sustain you from one side to the other,” said Ron Ross, longtime National Institutes of Standards and Technology cyber guru.

“That trustworthiness doesn’t happen by accident, you have have to engineer it in,” he said.

Tuesday, he rolled out a new publication designed to help software engineers build more secure products — NIST Special Publication 800-160: Systems Security Engineering.


So far, that trustworthiness has proved elusive in IT; something which is becoming increasingly problematic as America moves more of its economy, government and daily life online.

“These computers are being pushed out into every sector of our critical infrastructure,” warned Ross.

In a blog post Tuesday, he called SP 800-160 “the most important publication that I have been associated with in my two decades of service with NIST.”

“This is an inflection point for all of us,” added U.S. Chief Information Security Office Greg Touhill, referring to the explosive growth of the Internet of Things and the potential cybersecurity Armageddon it heralds.

The two men joined U.S. CIO Tony Scott at the Splunk government summit in Washington — the latest in a series of officials to warn about the consequences of pervasive cyber insecurity in the IoT.


More than just a slogan

Just as civil engineers must design a bridge so it can sustain the weight of the vehicles that will cross it, so software engineers need to design code that can’t be taken over by hackers, said Ross — and that means, for cybersecurity, “Build it in, bake it in, don’t bolt it on at the end.”

NIST’s publication was designed to make sure that could be more than “just a slogan,” he said.

“We wanted to make it as welcoming as possible,” Ross added, to all three intended audiences: computer engineers in the public and private sector; and academics — who would be training the next generation of computer scientists.

Success, cautioned Splunk CTO Snehal Antani, will require a collaboration between those three sectors on a level “not seen since the space race.”


“We have to fundamentally change the economic of cyberattacks and defense,” said, posing the question: “How do we cut the cost of cyber defense by 1000x ?”

Two years in the making

SP 800-160 has been more than two years in the making.

“We were bringing together two different worlds,” said Ross. “The world of the computer security people … and the systems engineers [each] with their own language and way of doing business and methodologies.”

The publication uses as a framework the widely employed international standard 15288 for systems and software engineering, “It’s the way people actually build systems … bridges and aircraft,” said Ross.


For each of the the 30-plus processes defined by the standard, from the initial business and mission analysis through the design and architecture phases the 257-page publication outlines “every security activity that would help the engineers make a more trustworthy system.”

“Our approach was we take the body of [cybersecurity] knowledge that we worked on for decades [into] the basic engineering process,” he said.

The initial draft, in 2014, was criticized for being too heavy with technical detail, even for its intended audience, “We overwhelmed the engineering community,” admitted Ross.

He said much of that technical detail had been relegated to a set of appendices and other matters like hardware assurance and resiliency had been “carved out,” getting their own special publications in the future.

Ross added the processes fleshed out were “agnostic” as to management philosophy. But he acknowledged that implementing them would have an unquantified cost.


“We haven’t done any cost analysis,” he said. “Building trustworthy systems and components takes a lit bit more work, it may costs a little bit more money but when that development is done … that product gets pushed out to millions of consumers.”

Latest Podcasts