The folks over at the NIST Information Technology Labs (ITL) have been busy. One complaint about the recently released Risk Management Framework (RMF) [1], developed in response the President’s Executive Order 13636 on Improving Critical Infrastructure Cybersecurity, was that it did not address application security (the coding practices that allow for SQL injection, buffer overflow, etc). [2].

They are working hard to address that, and have just announced [1] a four-stage program to develop detailed guidelines for “systems security engineering.” They are adapting a set of widely used international standards for systems and software engineering to the needs of security engineering. The base is ISO 15288:2008, “Systems and software engineering — System life cycle processes”.[3]

When a system element is software, the software life cycle processes documented in ISO/IEC 12207:2008 “Systems and software engineering — Software life cycle processes”[4] may be used to implement that system element.  ISO/IEC 15288:2008 and ISO/IEC 12207:2008 are harmonized for concurrent use on a single project or in a single organization.

Ron Ross, a NIST Fellow, noted that “we need to have the same confidence in the trustworthiness of our IT products and systems that we have in the bridges we drive across or the airplanes we fly in”, and that systems security engineering processes, supported by the fields of mathematics, computer science and systems/software engineering, can provide the discipline and structure needed to produce IT components and systems that enjoy the same level of trust and confidence.

NIST has released the first set of those guidelines for public comment in a new draft document, NIST 800-160, Systems Security Engineering: An Integrated Approach to Building Trustworthy Resilient Systems.[5]

Public comments on the current draft are requested by July 11, 2014, and should be sent to sec-cert@nist.gov.

NIST also continues to accept and consider informal feedback about the RMF from organizations and individuals. Send observations, suggestions, and lessons learned to cyberframework@nist.gov.

REFERENCES

1. See http://www.nist.gov/itl/csd/sp800-160-051314.cfm
2. See http://www.nist.gov/cyberframework/index.cfm and the Version 1 document Framework for Improving Critical Infrastructure Cybersecurity.
3. See Rohit Sethi, http://www.infosecisland.com/blogview/23551-The-NIST-Cyber-Security-Framework-Completely-Misses-the-Mark.html, posted Monday, January 06, 2014.
4. See http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=43564
5. See http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=43447
6. R. Ross, J.C. Oren and M. McEvilley. Systems Security Engineering: An Integrated Approach to Building Trustworthy Resilient Systems. NIST Special Publication 800-160. Initial Public Draft. May 2014.