NIST revises flagship cyber resiliency guidance

The National Institute of Standards and Technology released the first-ever revision to its flagship cyber resiliency guidance with updated controls and a single threat taxonomy Thursday.

NIST updated Special Publication (SP) 800-160 Vol. 2 to align cyber resilience controls with SP 800-53 Rev. 5 security and privacy controls for agencies’ and industry’s IT systems, as well as map it to MITRE’s ATT&CK threat framework.

A product of the NIST Systems Security Engineering initiative, the guidance reflects the latest cyber resiliency implementation approaches for engineers to address known hacker tactics laid out in the ATT&CK framework.

“The goal of the NIST Systems Security Engineering initiative is to address security, safety and resiliency issues from the perspective of stakeholder requirements and protection needs, using established engineering processes to ensure that those requirements and needs are addressed across the entire system life cycle to develop more trustworthy systems,” reads the revised guidance.

Cyber resiliency engineers design and maintain systems that anticipate, withstand, recover from and adapt to stresses, attacks and compromises — thereby reducing risk to agencies.

The guidance provides a cyber resiliency engineering framework complete with a tailorable analysis agencies can use to determine whether a system of theirs, no matter how old, is at risk of being compromised by advanced persistent threats.

Technical appendices supplement that framework with:

• background and contextual information on cyber resiliency;
• detailed descriptions of goals, objectives, techniques, implementation approaches, and design principles;
• mutually beneficial controls in corresponding the SP 800-53; and
• language used to describe the effects of current threat mitigations.