NIST looks to reengineer thinking about cyber

Shutterstock image (by Sergey Nivens): Security concept, lock on a digital screen.

The National Institute of Standards and Technology is set to release an overhauled systems security engineering document it hopes will change the way software and computer designers think about cybersecurity.

An updated draft of NIST's 800-160 document will be released for public comment on May 4. According to its lead author, Dr. Ron Ross, the new 800-160 will kick off a difficult discussion over not only how federal agencies approach cybersecurity, but also how U.S. business and general population should think about it -- not just as an add-on, but as an foundational component of any technology that touches the Internet.

It's become too difficult to cover every possible point of entry into a system, Ross said at an April 27 event hosted by FCW; hackers constantly find ways around technical barriers. What is required, he said, is to build systems that have the capability to limit cyberattackers' ability to penetrate or move around – and to engineer those features into technology from the outset.

"If an airplane crashes, or a bridge collapses, the first people we bring in are engineers," he said. But with cyber, "we go out and collect more threat intelligence."

That's not an approach that will stop attackers who are constantly changing methods, or leveraging tried-and-true malware and other attacks to exploit flawed systems, Ross said.

The document, officially titled NIST Special Publication 800-160: Systems Security Engineering, has been overhauled from its two-year-old original draft. The new iteration takes a more holistic approach to cyber defense. It incorporates International Organization for Standardization systems engineering standards, including 30 different processes aimed at building security capabilities into products, services and systems.

The new 300-page draft, which Ross hopes to finalize by the end of 2016 with input from federal, state, local and commercial sources, begins by recommending that systems be designed with initial input from users. That input can bring more information to bear on precisely what kinds of access is needed by which users, delineates which parts of the system are most in need of protection and other fundamental security aspects, he said.

There will be a two-month comment period on the document, and possibly a second draft in the fall, before the final version is completed at the end of the year, Ross told FCW in an interview after his remarks.

About the Author

Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.

Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, magazine and Wireless Week.

Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.

Click here for previous articles by Rockwell. Contact him at [email protected] or follow him on Twitter at @MRockwell4.


  • FCW Perspectives
    remote workers (elenabsl/

    Post-pandemic IT leadership

    The rush to maximum telework did more than showcase the importance of IT -- it also forced them to rethink their own operations.

  • Management
    shutterstock image By enzozo; photo ID: 319763930

    Where does the TMF Board go from here?

    With a $1 billion cash infusion, relaxed repayment guidelines and a surge in proposals from federal agencies, questions have been raised about whether the board overseeing the Technology Modernization Fund has been scaled to cope with its newfound popularity.

Stay Connected