The National Institute of Standards and Technology on Tuesday released a draft set of guidelines designed to improve security for critical systems and software.
The draft document, “Systems Security Engineering: An Integrated Approach to Building Trustworthy Resilient Systems,” is the first in a four-stage process of developing a detailed guide for systems security.
NIST Fellow Ron Ross — one of three co-authors of the draft — said the project is meant to make IT security an initial concern in the system and software design process, rather than an afterthought. Ross hopes this will lead to more trustworthy systems in the long run.
“My first car had seat belts and no airbags,” Ross said, noting how early automobile safety features were add-on options. But now, those features have become standardized. “We’d like to have the same level of confidence in our software and systems,” he said.
To do this, Ross and his team collaborated for the past two years. Instead of trying to create something revolutionary, Ross said they drew upon three decades of work that came before them in the “information assurance technical framework” field, as well as the work of multiple international standards organizations.
“We wanted to stand on previous work that was done,” he said. “We don’t want to reinvent the wheel, but we do want to be able to show how security engineering can be effectively integrated into a systems and software engineering process.”
In addition to illuminating the fundamentals of systems and software security engineering, this first draft will highlight 11 core technical processes in systems and software development.
The later three drafts will act as supplemental appendices to the initial release. All together, the guidelines should be completed and released to the public in December 2014.
“By integrating our best practices into a well-established engineering process, we then can start to communicate with the system engineers who speak a different language than security engineers,” Ross said. “That dialogue is important to understanding what each discipline does and how they can work together to achieve a common goal. That’s really one of the main objectives of this publication.”
Though the primary audience of the new initiative is the federal government, the draft guidelines can act as a foundation for improving consumer confidence in the security of the IT they purchase, something Ross said was left out in the past. And for the vendors, that means being able to offer their customers products with greater security assurance.
“We’re really excited about this guidance because it’s going to be as much about technical matters as cultural matters,” Ross said. “The way that we fundamentally address security today may be changed by [it].”