On November 14, 2016, the National Institute of Standards and Technology (“NIST”) published guidance on cybersecurity for internet-connected devices, Systems Security Engineering: Considerations for A Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems (the “Guidance”). Citing “the continuing frequency, intensity, and adverse consequences of cyber-attacks,” the Guidance “addresses the engineering-driven perspective and actions necessary to develop more defensible and survivable systems.”
The Guidance emphasizes the importance of engineering Internet-connected devices such that security systems are directly built into the design and manufacturing processes. The Guidance outlines steps at each phase of the engineering process that may improve cybersecurity functions, more effectively identify stakeholder assets and protection needs, and reduce risk by building “trustworthy secure systems capable of protecting stakeholder assets.” According to the Guidance, “[t]he objective is to address security issues from a stakeholder protection needs, concerns, and requirements perspective and to use established engineering processes to ensure that such needs, concerns, and requirements are addressed with appropriate fidelity and rigor, early and in a sustainable manner throughout the life cycle of the system.”
The Guidance is voluntary and was drafted to allow for organizational flexibility in implementing security solutions from an engineering perspective. Although the target audience for the Guidance is systems engineers, the Guidance states that cybersecurity analysts, government agencies and private sector entities may benefit from the materials as well.