The National Institute of Standards and Technology (NIST) is set to release an overhauled systems security engineering document it hopes will change the way software and computer designers think about cyber security.
NIST calls upon U.S. federal agencies, businesses and general population to re-think the approach to cyber security, which should not be just an add-on but a foundational component of any technology that touches the Internet.
Why now? Lead author, Dr Ron Ross, explains that it has become too difficult to cover every possible point of entry into a system. Hackers constantly find ways around technical barriers. We need to build systems that have the capability to limit a cyber-attacker’s ability to penetrate or move around and to engineer those features into technology from the outset.
Threat intelligence does not stop attackers who are constantly changing methods, or leveraging tried-and-true malware and other attacks to exploit flawed systems.
The new release for public comment is an updated draft of NIST Special Publication 800-160: Systems Security Engineering, which has been overhauled from its two-year-old original draft. The new iteration takes a more holistic approach to cyber defence. It incorporates International Organization for Standardization (ISO) systems engineering standards, including 30 different processes aimed at building security capabilities into products, services and systems.
NIST plans to finalise the new 300-page draft by the end of 2016 with input from federal, state, local and commercial sources. It begins by recommending that systems be designed with initial input from users. That input can bring more information to bear on precisely what kinds of access is needed by which users, delineates which parts of the system are most in need of protection and other fundamental security aspects.
There will be a two-month comment period on the document, and possibly a second draft in autumn 2016, expected to start on 4 May 2016.