NIST looks to reengineer thinking about cyber

Shutterstock image (by Sergey Nivens): Security concept, lock on a digital screen.

The National Institute of Standards and Technology is set to release an overhauled systems security engineering document it hopes will change the way software and computer designers think about cybersecurity.

An updated draft of NIST's 800-160 document will be released for public comment on May 4. According to its lead author, Dr. Ron Ross, the new 800-160 will kick off a difficult discussion over not only how federal agencies approach cybersecurity, but also how U.S. business and general population should think about it -- not just as an add-on, but as an foundational component of any technology that touches the Internet.

It's become too difficult to cover every possible point of entry into a system, Ross said at an April 27 event hosted by FCW; hackers constantly find ways around technical barriers. What is required, he said, is to build systems that have the capability to limit cyberattackers' ability to penetrate or move around – and to engineer those features into technology from the outset.

"If an airplane crashes, or a bridge collapses, the first people we bring in are engineers," he said. But with cyber, "we go out and collect more threat intelligence."

That's not an approach that will stop attackers who are constantly changing methods, or leveraging tried-and-true malware and other attacks to exploit flawed systems, Ross said.

The document, officially titled NIST Special Publication 800-160: Systems Security Engineering, has been overhauled from its two-year-old original draft. The new iteration takes a more holistic approach to cyber defense. It incorporates International Organization for Standardization systems engineering standards, including 30 different processes aimed at building security capabilities into products, services and systems.

The new 300-page draft, which Ross hopes to finalize by the end of 2016 with input from federal, state, local and commercial sources, begins by recommending that systems be designed with initial input from users. That input can bring more information to bear on precisely what kinds of access is needed by which users, delineates which parts of the system are most in need of protection and other fundamental security aspects, he said.

There will be a two-month comment period on the document, and possibly a second draft in the fall, before the final version is completed at the end of the year, Ross told FCW in an interview after his remarks.

About the Author

Mark Rockwell is a staff writer at FCW.

Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, magazine and Wireless Week.

Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.

Click here for previous articles by Rockwell. Contact him at or follow him on Twitter at @MRockwell4.

The Fed 100

Read the profiles of all this year's winners.


  • Shutterstock image (by wk1003mike): cloud system fracture.

    Does the IRS have a cloud strategy?

    Congress and watchdog agencies have dinged the IRS for lacking an enterprise cloud strategy seven years after it became the official policy of the U.S. government.

  • Shutterstock image: illuminated connections between devices.

    Who won what in EIS

    The General Services Administration posted detailed data on how the $50 billion Enterprise Infrastructure Solutions contract might be divvied up.

  • Wikimedia Image: U.S. Cyber Command logo.

    Trump elevates CyberCom to combatant command status

    The White House announced a long-planned move to elevate Cyber Command to the status of a full combatant command.

  • Photo credit: John Roman Images /

    Verizon plans FirstNet rival

    Verizon says it will carve a dedicated network out of its extensive national 4G LTE network for first responders, in competition with FirstNet.

  • AI concept art

    Can AI tools replace feds?

    The Heritage Foundation is recommending that hundreds of thousands of federal jobs be replaced by automation as part of a larger government reorganization strategy.

  • DOD Common Access Cards

    DOD pushes toward CAC replacement

    Defense officials hope the Common Access Card's days are numbered as they continue to test new identity management solutions.

Reader comments

Tue, May 3, 2016 Audra T. Gabriel Burlington, NC 27215

I wish Dr. Ron Ross and NIST would reach out to the International Information System Security Certification Consortium, also known as (ISC)², and consider the time they've put into DoDD 8570, NSA's ISSEP program, and ANSI ISO/IEC Standard 17024:2003. Thank you.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group