NIST standard puts security at start of critical systems development
NIST announced the developing standards, along with a public draft on the measures.
The National Institute of Standards and Technology (NIST) is developing a set of standards that would help developers build security into critical systems “from the ground up.”
On Tuesday, NIST announced that the voluntary guidelines, designed to apply systems and software engineering principles to information system security, will be launched in a four-stage process, starting with technical standards that take a page from those widely used by civil engineers.
The standards will serve as a road map for IT management securing a range of integral applications that keep the nation running, including financial systems, industrial control systems, and those used in the defense sector.
NIST's announcement included a draft document (PDF) describing the 11 core technical processes in systems and software development that would be implemented under the guidelines. The 121-page document, called “Systems Security Engineering: An Integrated Approach to Building Trustworthy Resilient Systems,” was made available online, since NIST opened the draft to public comment through July 11.
On Wednesday, Ron Ross, a computer scientist and NIST fellow who helped author the draft document, provided background on the technical guidelines to SCMagazine.com.
“[The process was about] how we can bring these communities together to develop stronger information systems that are more resistant to cyber attacks and to modern threats we see today,” Ross said.
In the NIST release, Ross spoke more to this point, saying that “We need to have the same confidence in the trustworthiness of our IT products and systems that we have in the bridges we drive across or the airplanes we fly in.”
According to Ross, the developing guidelines were inspired by ISO/IEC 15288, an international standard released in 2008 that provides a framework for systems security engineering life cycle processes, he said in an interview with SCMagazine.com.
The International Organization for Standardization (ISO), the International Electrotechnical Commission (IEC), and the Institute of Electrical and Electronic Engineers (IEEE) jointly released ISO/IEC 15288.