NIST revises flagship cyber resiliency guidance

The revised controls are mapped to MITRE's ATT&CK threat framework.
BOULDER, CO - OCTOBER 9: The U.S. Department of Commerce's National Institute of Standards and Technology (NIST) building is seen October 9, 2012 in Boulder, Colorado. David J. Wineland, a physicist at NIST, won the 2012 Nobel Prize in Physics for "ground-breaking experimental methods that enable measuring and manipulation of individual quantum systems." Wineland has worked at NIST for 37 years and is internationally recognized for his research on trapped ions. (Photo by Dana Romanoff/Getty Images)

The National Institute of Standards and Technology released the first-ever revision to its flagship cyber resiliency guidance with updated controls and a single threat taxonomy Thursday.

NIST updated Special Publication (SP) 800-160 Vol. 2 to align cyber resilience controls with SP 800-53 Rev. 5 security and privacy controls for agencies’ and industry’s IT systems, as well as map it to MITRE’s ATT&CK threat framework.

A product of the NIST Systems Security Engineering initiative, the guidance reflects the latest cyber resiliency implementation approaches for engineers to address known hacker tactics laid out in the ATT&CK framework.

“The goal of the NIST Systems Security Engineering initiative is to address security, safety and resiliency issues from the perspective of stakeholder requirements and protection needs, using established engineering processes to ensure that those requirements and needs are addressed across the entire system life cycle to develop more trustworthy systems,” reads the revised guidance.


Cyber resiliency engineers design and maintain systems that anticipate, withstand, recover from and adapt to stresses, attacks and compromises — thereby reducing risk to agencies.

The guidance provides a cyber resiliency engineering framework complete with a tailorable analysis agencies can use to determine whether a system of theirs, no matter how old, is at risk of being compromised by advanced persistent threats.

Technical appendices supplement that framework with:

  • background and contextual information on cyber resiliency;
  • detailed descriptions of goals, objectives, techniques, implementation approaches, and design principles;
  • mutually beneficial controls in corresponding the SP 800-53; and
  • language used to describe the effects of current threat mitigations.
Dave Nyczepir

Written by Dave Nyczepir

Dave Nyczepir is a technology reporter for FedScoop. He was previously the news editor for Route Fifty and, before that, the education reporter for The Desert Sun newspaper in Palm Springs, California. He covered the 2012 campaign cycle as the staff writer for Campaigns & Elections magazine and Maryland’s 2012 legislative session as the politics reporter for Capital News Service at the University of Maryland, College Park, where he earned his master’s of journalism.

Latest Podcasts