Building a house requires a blueprint. When it comes to building systems, National Institute of Standards and Technology’s (NIST) documents about security by design are some of the most reliable blueprints. As systems become more complex, they’re also more likely to be fragile. Meanwhile, we continue to add new devices, apps and tools into our daily lives faster and faster. These two conditions create the perfect landscape for constant change. They also drive invention in cybersecurity and, generally speaking, the future of digital defense.

So, if cybersecurity experts should expect this rapid pace of change to continue into the future, what is the best way to create an effective blueprint for it? An answer lays in the security by design (sometimes referred to as SBD and SbD) approach, clearly spelled out in NIST SP 800-160 Volume 1, Systems Security Engineering, Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. It’s a great document, but people in the industry don’t value it enough; it should be seen and applied more often.

So, let’s take a look at an 80,000-foot view of NIST SP 800-160.

This article is the first of a four-part series. We’ll draw out some high-level key thinking behind NIST SP 800-160, briefly touching on the introduction and the core concepts covered in the first two chapters. The following three pieces will cover parts of chapter three, which focuses on the system life cycle process.

The Stages of Constant Change

Before diving into NIST SP 800-160 and the security by design principles, understand the information technology world we live in. Living in disruption all the time is like going through the stages of grief:

  • You are prone to compromise because systems are at risk by design (denial).
  • Attacks on your system will frustrate you (anger).
  • You will try to short circuit the frustration by using a quick fix (bargaining).
  • You will realize this is a hard battle to win (depression).
  • You understand there are no quick fixes and you just have to manage this thing called information security (acceptance).

If you haven’t reached the acceptance stage, you may not be ready for your NIST 800-160 journey. The reason is because the security system engineering thought process helps you manage existing and future cybersecurity challenges from a paradigm that is only recently gaining traction: looking at your network as a complex, connected system of systems, acting and operating as one.

History and Purpose of NIST SP 800-160

NIST created SP 800-160 because the powerful and complex digital systems developed by the U.S. are linked to economic and national security interests. The Department of Defense acknowledged that cyber threats are serious and concluded that cybersecurity had several main risks. Threat actors were breaking into networks, red teams could cause disruption with relative ease and our networks and systems had a weak defensive posture. The Defense Science Board noted the two top tiers of vulnerabilities — unknown vulnerabilities and those created by threat actors — were almost always hidden from the groups they affected. Therefore, the key is to minimize cyber risk by looking at information security challenges through a security design-first perspective.

To shore up these weaknesses, NIST addressed the issue from an engineering perspective. This perspective would not only help defend the system, but also make it survive. By approaching the issue with the lens of security design, information security systems and cybersecurity innovations could not only be resilient, but they could become antifragile. In other words, they strengthen when tested.

NIST SP 800-160 was able to achieve this feat by building upon established international standards. It brings them all together to create a ‘system of systems’ that focuses on security engineering techniques, methods and practices. The system of systems’ approach is critical to knowing the principles outlined in NIST SP 800-160, as it forces you to think through the entire life cycle of your operations.

Think of Security by Design Like a Human Body

Your body may have a lot of different parts, but put together, they are a system of systems that work together and help you get through your daily life. As part of that daily grind, our bodies have methods of protection, namely by using systems in tandem.

For example, if you cut your finger and develop an infection, the body doesn’t give up on your finger and grow a new one. Rather, your immune system heals the area around the finger to protect the rest of the body. This is why hygiene — and cyber hygiene — is vital. When you’re using security by design principles, the end state is very much like a human body. All systems work together as one.

Key Principles of Security by Design

So, where do you start with NIST SP 800-160 to apply these principles to your own systems? Chapters 1 and 2 lay out the definitions and concept of the security by design method. Pay special attention to when these two chapters lay out the thinking behind definitions and concepts. One of the hidden gems of this document is that it outlines the principles and core concepts in a manner that forces you to apply the concepts to your own needs. This format also helps you customize them. These clearly stated principles mean you can understand why the document defines things the way it does. If the document doesn’t define your specific needs, you’ll still learn what factors you should consider to define it in a manner that applies to your systems.

One of those core concepts is trustworthiness and the requirements behind it. These can include attributes of safety, security, reliability, dependability, performance, resilience and survivability under a wide range of potential threats. This forces you to think about digital defense from your own perspective and in terms of what your group can do. By nature, measures of trustworthiness are meaningful only to the extent that the standards are sufficiently complete and well-defined, and that readers can correctly assess them.

Scratching the Surface of NIST SP 800-160

NIST SP 800-160 applies to any enterprise serious about their information security design. It also applies at any stage of the life cycle. As the special publication says, you can use it if you are looking to:

  • Add new systems
  • Modify existing systems
  • Use dedicated or special-purpose systems
  • Use systems-of-systems
  • Evolve systems
  • Retire systems

In chapter 2, the document focuses more deeply on some of the basics. Here, it draws out the importance of being holistic in your approach. These core concepts guide you on how to be critical about your thinking and your problem solving. They look well beyond just technical safeguards and measures. Some of those include cost, scheduling, effectiveness, operational performance and technical performance, all of which are driven by your risk tolerances.

Chapter 2 also outlines the multidisciplinary aspects that go into a system engineering effort. It demonstrates links between systems, adequacy, standards (and limits) of stakeholder input, asset considerations tolerances, event consequences and loss considerations, active and passive protections and many other issues.

Apply Security by Design and System Engineering

Chapters 1 and 2 alone are over 20 pages. They lay the bedrock of what sort of thinking needs to go into securing a system.

Keep in mind these words from Carl Landwehr: “This whole economic boom in cybersecurity seems largely to be a consequence of poor engineering.”

Those looking to improve their cybersecurity posture would be well served to look at the engineering of their system as a sound first step. NIST SP 800-160 helps you focus on what matters as you do.

More from CISO

Bridging the 3.4 Million Workforce Gap in Cybersecurity

As new cybersecurity threats continue to loom, the industry is running short of workers to face them. The 2022 (ISC)2 Cybersecurity Workforce Study identified a 3.4 million worldwide cybersecurity worker gap; the total existing workforce is estimated at 4.7 million. Yet despite adding workers this past year, that gap continued to widen.Nearly 12,000 participants in that study felt that additional staff would have a hugely positive impact on their ability to perform their duties. More hires would boost proper risk…

CEO, CIO or CFO: Who Should Your CISO Report To?

As we move deeper into a digitally dependent future, the growing concern of data breaches and other cyber threats has led to the rise of the Chief Information Security Officer (CISO). This position is essential in almost every company that relies on digital information. They are responsible for developing and implementing strategies to harden the organization's defenses against cyberattacks. However, while many organizations don't question the value of a CISO, there should be more debate over who this important role…

Everyone Wants to Build a Cyber Range: Should You?

In the last few years, IBM X-Force has seen an unprecedented increase in requests to build cyber ranges. By cyber ranges, we mean facilities or online spaces that enable team training and exercises of cyberattack responses. Companies understand the need to drill their plans based on real-world conditions and using real tools, attacks and procedures. What’s driving this increased demand? The increase in remote and hybrid work models emerging from the COVID-19 pandemic has elevated the priority to collaborate and…

Why Quantum Computing Capabilities Are Creating Security Vulnerabilities Today

Quantum computing capabilities are already impacting your organization. While data encryption and operational disruption have long troubled Chief Information Security Officers (CISOs), the threat posed by emerging quantum computing capabilities is far more profound and immediate. Indeed, quantum computing poses an existential risk to the classical encryption protocols that enable virtually all digital transactions. Over the next several years, widespread data encryption mechanisms, such as public-key cryptography (PKC), could become vulnerable. Any classically encrypted communication could be wiretapped and is…