The National Institute of Standards and Technology (NIST) is developing a set of standards that would help developers build security into critical systems “from the ground up.”
On Tuesday, NIST announced that the voluntary guidelines, designed to apply systems and software engineering principles to information system security, will be launched in a four-stage process, starting with technical standards that take a page from those widely used by civil engineers.
The standards will serve as a road map for IT management securing a range of integral applications that keep the nation running, including financial systems, industrial control systems, and those used in the defense sector.
NIST's announcement included a draft document (PDF) describing the 11 core technical processes in systems and software development that would be implemented under the guidelines. The 121-page document, called “Systems Security Engineering: An Integrated Approach to Building Trustworthy Resilient Systems,” was made available online, since NIST opened the draft to public comment through July 11.
On Wednesday, Ron Ross, a computer scientist and NIST fellow who helped author the draft document, provided background on the technical guidelines to SCMagazine.com.
“[The process was about] how we can bring these communities together to develop stronger information systems that are more resistant to cyber attacks and to modern threats we see today,” Ross said.
In the NIST release, Ross spoke more to this point, saying that “We need to have the same confidence in the trustworthiness of our IT products and systems that we have in the bridges we drive across or the airplanes we fly in.”
According to Ross, the developing guidelines were inspired by ISO/IEC 15288, an international standard released in 2008 that provides a framework for systems security engineering life cycle processes, he said in an interview with SCMagazine.com.
The International Organization for Standardization (ISO), the International Electrotechnical Commission (IEC), and the Institute of Electrical and Electronic Engineers (IEEE) jointly released ISO/IEC 15288.
In a Wednesday interview with SCMagazine.com, Julian Waits Sr., CEO of ThreatTrack Security, a firm that helps organizations thwart advanced attacks, said that – while there is no such thing as “infallible” software – that the coming NIST standard brings needed guidance to developers and IT management tasked with overseeing critical IT operations and systems.
“In taking the ISO standards that are much more [focused] around risk management… you build the software so that you eliminate as many vulnerabilities as possible before you've finished the designing,” Waits said. “Rather than trying to fix the problem after the application is out, [the approach here is] let's design it with security in mind,” he said.
NIST's release of the draft document is part of the first phase in the standard's development: delineating technical processes to be implemented by developers. In total, four phases are to be completed before NIST publishes a final systems security engineering guideline at the end of the year.
According to NIST's draft document, the remaining phases entail development of supporting appendices and other documents that would support implementation; creation of nontechnical processes that support the security engineering guidelines; and alignment of the released technical and nontechnical guidance.