NIST looks to reengineer thinking about cyber

Shutterstock image (by Sergey Nivens): Security concept, lock on a digital screen.

The National Institute of Standards and Technology is set to release an overhauled systems security engineering document it hopes will change the way software and computer designers think about cybersecurity.

An updated draft of NIST's 800-160 document will be released for public comment on May 4. According to its lead author, Dr. Ron Ross, the new 800-160 will kick off a difficult discussion over not only how federal agencies approach cybersecurity, but also how U.S. business and general population should think about it -- not just as an add-on, but as an foundational component of any technology that touches the Internet.

It's become too difficult to cover every possible point of entry into a system, Ross said at an April 27 event hosted by FCW; hackers constantly find ways around technical barriers. What is required, he said, is to build systems that have the capability to limit cyberattackers' ability to penetrate or move around – and to engineer those features into technology from the outset.

"If an airplane crashes, or a bridge collapses, the first people we bring in are engineers," he said. But with cyber, "we go out and collect more threat intelligence."

That's not an approach that will stop attackers who are constantly changing methods, or leveraging tried-and-true malware and other attacks to exploit flawed systems, Ross said.

The document, officially titled NIST Special Publication 800-160: Systems Security Engineering, has been overhauled from its two-year-old original draft. The new iteration takes a more holistic approach to cyber defense. It incorporates International Organization for Standardization systems engineering standards, including 30 different processes aimed at building security capabilities into products, services and systems.

The new 300-page draft, which Ross hopes to finalize by the end of 2016 with input from federal, state, local and commercial sources, begins by recommending that systems be designed with initial input from users. That input can bring more information to bear on precisely what kinds of access is needed by which users, delineates which parts of the system are most in need of protection and other fundamental security aspects, he said.

There will be a two-month comment period on the document, and possibly a second draft in the fall, before the final version is completed at the end of the year, Ross told FCW in an interview after his remarks.

About the Author

Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.

Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, magazine and Wireless Week.

Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.

Click here for previous articles by Rockwell. Contact him at or follow him on Twitter at @MRockwell4.


  • Congress
    U.S. Capitol (Photo by M DOGAN / Shutterstock)

    Funding bill clears Congress, heads for president's desk

    The $1.3 trillion spending package passed the House of Representatives on March 22 and the Senate in the early hours of March 23. President Trump is expected to sign the bill, securing government funding for the remainder of fiscal year 2018.

  • 2018 Fed 100

    The 2018 Federal 100

    This year's Fed 100 winners show just how much committed and talented individuals can accomplish in federal IT. Read their profiles to learn more!

  • Census
    How tech can save money for 2020 census

    Trump campaign taps census question as a fund-raising tool

    A fundraising email for the Trump-Pence reelection campaign is trying to get supporters behind a controversial change to the census -- asking respondents whether or not they are U.S. citizens.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.