NIST standard puts security at start of critical systems development

Share this article:
NIST standard puts security at start of critical systems development
NIST announced the developing standards, along with a public draft on the measures.

The National Institute of Standards and Technology (NIST) is developing a set of standards that would help developers build security into critical systems “from the ground up.”

On Tuesday, NIST announced that the voluntary guidelines, designed to apply systems and software engineering principles to information system security, will be launched in a four-stage process, starting with technical standards that take a page from those widely used by civil engineers.

The standards will serve as a road map for IT management securing a range of integral applications that keep the nation running, including financial systems, industrial control systems, and those used in the defense sector.

NIST's announcement included a draft document (PDF) describing the 11 core technical processes in systems and software development that would be implemented under the guidelines. The 121-page document, called “Systems Security Engineering: An Integrated Approach to Building Trustworthy Resilient Systems,” was made available online, since NIST opened the draft to public comment through July 11.

On Wednesday, Ron Ross, a computer scientist and NIST fellow who helped author the draft document, provided background on the technical guidelines to SCMagazine.com.

“[The process was about] how we can bring these communities together to develop stronger information systems that are more resistant to cyber attacks and to modern threats we see today,” Ross said.

In the NIST release, Ross spoke more to this point, saying that “We need to have the same confidence in the trustworthiness of our IT products and systems that we have in the bridges we drive across or the airplanes we fly in.”

According to Ross, the developing guidelines were inspired by ISO/IEC 15288, an international standard released in 2008 that provides a framework for systems security engineering life cycle processes, he said in an interview with SCMagazine.com.

The International Organization for Standardization (ISO), the International Electrotechnical Commission (IEC), and the Institute of Electrical and Electronic Engineers (IEEE) jointly released ISO/IEC 15288.

Page 1 of 2
Share this article:

Sign up to our newsletters

More in News

ICO fines U.K. travel firm £150,000 for 2012 breach

Data on more than one million credit and debit cards was pilfered in the 2012 breach of a system Think W3 Limited.

Firefox 32 feature could cut undetected malware downloads 'in half'

Mozilla plans to introduce a feature in Firefox 32 that, based on preliminary testing, could cut the amount of undetected malware downloads in half.

EFF asks court to find NSA internet spying a violation of Fourth Amendment

EFF asks court to find NSA internet spying ...

Complete with a colorful graphic, the EFF showed a federal court how the NSA essentially runs a digital dragnet that can pick up innocent Americans.