Ron Ross

ACQ Subscribe

The National Institute of Standards and Technology is developing new cybersecurity standards based on the same principles engineers use to build bridges and jetliners.

At the University of Minnesota College of Science and Engineering's Technology Leadership Institute on May 13, NIST Fellow Ron Ross unveiled a draft of NIST Special Publication 800-160, Systems Security Engineering: An Integrated Approach to Building Trustworthy Resilient Systems. The guidelines recommend steps to help develop a more defensible information technology infrastructure, including the component products, systems and services that constitute the infrastructure.

In an interview with Information Security Media Group, Ross says principles employed by engineers can be used to communicate to all stakeholders the goals for creating new infrastructures. "By integrating the security-engineering processes into those systems-engineering processes, and software engineering, we are now being able to bridge that communication's gap between these two disciplines," Ross says.

"By having that communication, having the dialogue, systems and software engineers now will understand more about what good systems security engineering is all about, and we also will know, as security professionals, what are some of the tradeoffs we have to make as that system is developed."

The NIST computer scientist says the systems security engineering discipline is applicable to each stage of the system life cycle.

SP 800-160 calls for a four-phase development approach that will culminate in the publication of the final special publication at year's end. The four phases include:

Development of the systems security engineering technical processes; Development of appendices, such as those focusing on information security; a risk management framework; security controls; use-case scenarios; roles and responsibilities; system resiliency; security and trustworthiness; and acquisitions, as well as the Department of Defense systems engineer process; Development of nontechnical processes. Alignment of the technical and nontechnical processes;

Although primarily targeting the creators of IT systems, the guidance also is aimed at those involved with governance and risk management; acquisition and project management; and system design and integration; testing and auditing, as well as providers of technology products and services.

In the interview, Ross explains the:

Genesis of the guidance; Role of systems security engineers; and Reasons why IT security practitioners should emulate engineers.

NIST is seeking public comments on the draft publication. Comments should be sent by July 11 to This email address is being protected from spambots. You need JavaScript enabled to view it..

Ross, lead author of NIST's authoritative guidance on risk assessment and risk management, specializes in security requirements definition, security testing and evaluation and information assurance. He leads NIST's Federal Information Security Management Act Implementation Project, which includes the development of key security standards and guidelines for the federal government and critical information infrastructure.