The National Institutes of Standards and Technology has published a final version of new guidance on engineering trustworthy secure systems, which it says will provide engineers across government and private enterprise to with essential design principles.
The document sets out specifics definitions for cybersecurity leaders to follow as they implement strategies to protect their organizations, including what constitutes an adequately secure system, what constitutes loss and loss control, and what make up digital asset management.
NIST is seeking comments from industry on the final draft.
According to NIST, the new guidance clarifies terminology used in previous versions and improves references to international standards.
NIST’s new guidance comes amid calls from federal agency leaders and private industry for clearer definition of cybersecurity standards. Department of Defense CIO for cybersecurity Michele Iversen earlier this year warned that the agency’s framework for improving critical infrastructure cybersecurity is not always comprehensive enough to cover the many use cases that arise.
The new guidance took NIST at least five months to develop and follows several previous versions of the document. NIST hopes the guidance will form the basis of educational and training programs including professional certifications.
Revisions place renewed emphasis on systems security engineering (SSE) as a critical subdiscipline in ensuring trustworthy systems.
“This perspective treats security as an emergent property of a system,” reads the guidance. “It requires a disciplined, rigorous engineering process to deliver the security capabilities necessary to protect stakeholders’ assets from loss while achieving mission and business success.”
Stakeholders continually address cost, schedule and performance issues throughout system development, and the perspective can be applied to securing any system.
The guidance includes streamlined design principles for engineering trustworthy secure systems, simplified system life cycle processes and security considerations, clarified SSE terminology, and additional references to international standards and technical guidance.
Editor’s note: This story was updated to clarify that the document is a final draft of the new guidance.