The Impact of the NIST SP 800-64r2 Withdrawal on the System Development Life Cycle
by Chris Fillebrown, Lead Systems Engineer for Human Genome Sequencing Center, Baylor College of Medicine
On May 31, 2019, the National Institute of Standards and Technology (NIST) withdrew NIST Special Publication (SP) 800-64r2, Security Considerations in the System Development Life Cycle. Why did NIST make this decision? The security breaches making headlines are proof-positive that NIST 800-64r2 has not been effective.
The new standard adopted in its stead is NIST SP 800-160v1, Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. The new approach to secure systems engineering is based on the international standard ISO/IEC/IEEE 15288 Systems and Software Engineering—System Life Cycle Processes.
For those of us responsible for systems implementation, maintenance, or management, it’s important that we understand what the new standard means and how to start incorporating it in our organizations.
What the New NIST SP 800-160v1 Standard Means
The new standard means that security considerations are now driven by systems engineering activities, with less emphasis on documentation, which is something that overwhelmed the prior standard.
Why is the systems engineering approach more eﬀective?
The beauty of the new standard is that it is driven by activities that occur naturally in an organization’s life. Numerous activities from various disciplines happen on and around systems as a matter of course. It is not possible to have systems without systems engineering activities. To use those activities, all you have to do is identify the two-letter systems engineering code from NIST 800-160v1 for the activity and then use it to index into the security discussions listed in NIST 800-160v1 for that speciﬁc activity.
What are the systems engineering activities?
In its Systems Engineering Handbook, the International Council on Systems Engineering (INCOSE) provides process names and process designators for systems engineering activities that align closely with the activities listed in NIST 800-160v1. The book is consistent with ISO/IEC/IEEE 15288 and is a valuable resource for working with NIST 800-160v1. It offers guidance on various systems engineering activities covering a wide range of systems concepts and insights into system thinking.
The INCOSE secure systems engineering phases
The Systems Engineering Handbook describes phases for the systems development life cycle: Concept, Development, Production, Utilization, Support, and Retirement.
These phases are different from ones described in the withdrawn NIST 800-64r2.
INCOSE process designators
INCOSE uses process designators to organize the 30 two-letter codes that describe systems engineering activities. The activity codes describe a mature set of established systems engineering practices. NIST 800-160v1 provides a security discussion for each of the individual systems engineering activities that lead to an understanding of the appropriate security control(s) for the system.
How to Use NIST SP 800-160v1
The new standard’s security discussions help you to identify the security controls you should implement for the activity engaged. Under NIST 800-160v1, the System Development Life Cycle (SDLC) is systems engineering activity plus security discussions for that activity.
To help your organization be able to operate and understand the new standard, you should map each system engineering activity to one of the updated systems engineering phases—Concept, Development, Production, Utilization, Support, and Retirement.
NIST 800-160v1 states that there is no explicit mapping of INCOSE activities to phases but also states that security professionals are free to engage the activities in any phase. It also states that you are free to tailor activities to ﬁt your organization. Although not prescribed, there is nothing stopping you from making an explicit mapping. I suggest mapping the activity codes to the phase that feels most natural for that activity within your organization.
An overview of my organization’s new process
I use this outline to assure that documentation of systems activity is consistent. It’s easy to customize this outline to ﬁt your way of thinking about systems but be sure to use a consistent format.
- Project Name
- Activity start/end date
- Two-letter activity code(s) (from the INCOSE Process Designators)
- Security discussion (from NIST 800-160v1)
- Security control(s)
With the framework of systems engineering phases and activities in place, coupled with security discussions listed in NIST 800-160v1, my organization’s process looks like this:
- Identify the systems engineering activity before it starts.
- Identify individuals required to complete the activity.
- Open the document for the project and the appropriate phase for the activity.
- Copy the security discussion into the document.
- Reformat the security discussion into a checklist.
- Facilitate the security discussions with the individuals involved in the activity.
- Implement the security controls identiﬁed by engaging in security discussions.
- Update the list until the activity has been completed.