NIST Updates Cybersecurity Engineering Guidelines


Amid constant cybersecurity threats, NIST added more insight for engineers and programmers on how to mitigate system vulnerabilities.

Set against a national backdrop of enhanced cybersecurity risk across all industries, the National Institute of Standards and Technology updated its guidance for system engineers. 

Called the “Engineering Trustworthy Secure Systems,” the document stems from President Joe Biden’s 2021 executive order aimed at boosting the federal government’s defenses in the wake of several large-scale attacks on critical infrastructure. 

NIST’s publication is a resource for computer engineers and other professionals on the programming side of cybersecurity efforts. 

“This publication addresses the engineering-driven perspective and actions necessary to develop more defensible and survivable systems, inclusive of the machine, physical, and human components that compose those systems and the capabilities and services delivered by those systems,” the document reads. 

Spanning over 200 pages, the publication takes a holistic approach to systems engineering. NIST researchers give an overview of the objectives and concepts of modern security systems, primarily regarding the protection of a system's digital assets. 

One of the key updates NIST authors made in the latest version of the publication was a fresh emphasis on security assurances. In software systems engineering, assurance is represented by the evidence that a given system’s security procedures are robust enough to mitigate asset loss and prevent cyber attacks. 

Ron Ross, an NIST fellow and one of the authors of the document, told Nextgov that system assurances act as justifications that a security system can operate effectively. 

“Evidence generated during the system life cycle is essential to building assurance cases for systems being deployed in the critical infrastructure,” Ross said. “Assurance cases can turn security into something that is concrete, measurable, and shareable. Building and delivering assurance is the way to drive the culture of security.”

The newest draft of “Engineering Trustworthy Secure Systems” also looks into the fundamental elements of how to build a trustworthy secure design, which hinges on the proactive elimination or mitigation of vulnerabilities. It also compiles the various loss control design principles in one section and outlines how they each function. 

“Building trustworthy, secure systems cannot occur in a vacuum with isolated stovepipes for cyberspace, software, and information technology,” the guidelines note. “Rather, it requires a holistic approach to protection, broad-based thinking across all assets where loss could occur, and an understanding of adversity, including how adversaries attack and compromise systems.”

NIST has published similar guidelines in recent years. In 2018, one guidebook focused on how federal agencies can secure legacy information technology systems against cyberattacks. And in August 2021, officials published a broader document on cyber-resilient systems for public and private-sector organizations.