Systems Security Engineering Framework

NIST SP 800-160 Vol 1

Systems engineering provides a foundation for a disciplined and structured approach to building assured, trustworthy secure systems. Systems security engineering is a subdiscipline of systems engineering that addresses security-relevant considerations intended to produce secure outcomes.

In recent years there is a clear recognition that “Systems security engineering must be fundamental to systems engineering. Security fundamentals must be clearly understood by stakeholders and effectively evaluated in a way that considers broad goals with security functions and outcomes.”1

NIST SP 800-160 Vol 1r1 (Nov 2022) recognises that “building trustworthy, secure systems cannot occur in a vacuum with stovepipes for software, hardware, information technology, and the human element (e.g., designers, operators, users, attackers of these systems). Rather, it requires a transdisciplinary approach to protection, a determination across all assets where loss could occur, and an understanding of adversity, including how adversaries attack and compromise systems. It addresses security issues from the perspective of stakeholder requirements and protection needs and the use of established engineering processes to ensure that such requirements and needs are addressed with appropriate fidelity and rigor across the entire life cycle of the system.”

This publication describes the security design principles, concepts, and techniques that are part of a trustworthy secure design approach. These can be applied in the development of new capabilities or systems, modification of existing capabilities or systems, and development of system of systems. It is intended to be used by:

  • Systems engineers, security engineers, and other engineering professionals.

  • Professionals and teams, who perform other system life cycle activities or tasks, such as those listed below

    • Security governance, risk management, and oversight

    • Security verification, validation, testing, evaluation, auditing, assessment, inspection, and monitoring

    • Acquisition, budgeting, and project management

    • Operations, maintenance, sustainment, logistics, and support

    • Providers of technology-related products, systems, or services

The core objective of the publication is to be engineering-based, not operations- or technology-based. Organisations can adapt the concepts and principles for trustworthy secure design, the systems life cycle processes and security-relevant activities and tasks described in the publication to achieve consistent security outcomes in the capabilities delivered by their systems.

System Security Viewpoints

The publication defines three predominant viewpoints of system security, viz i) system function, ii) security function, and iii) life cycle assets.

  • System function is the system’s purpose or role as fulfilled by the totality of the capability it delivers combined with its intended use. Every system is required to satisfy all the stakeholder capability needs.

  • Security function is the system’s fulfilment of the stakeholder’s protection capability needs.

  • Life cycle assets are associated with the system but are not engineered into or delivered with the system. Life cycle assets typically include intellectual property, data and information associated with the system, and supporting assets for development, production and sustenance of the system. The association of lifecycle assets with the system means that they can be the direct cause of loss or a conduit/means through which a loss can occur.

  • The system function is the predominant viewpoint and establishes the context for the security function and the associated system life cycle assets.

Systems Security Engineering Framework

The systems security engineering framework provides a conceptual view of the key contexts within which systems security engineering activities are conducted. It defines three contexts for conducting activities and tasks:

  • The problem context to help ensure that the engineering is driven by a sufficiently complete understanding of the problem.

  • The solution context to drive the effort to provide the solution, supported by a set of activities to design and realize the solution.

  • The trustworthiness context is a decision-making context that provides an evidence-based demonstration – through reasoning – that the system of interest is deemed trustworthy (or not) based on a set of claims derived from security objectives.

NIST SP 800-160 Vol 2

Cyber resiliency for systems that include or depend on cyber resources is a part of operational resilience but needs specific guidance due to its distinctive characteristics. The publication provides guidance on how to apply cyber resiliency concepts, constructs, and engineering practices to systems security engineering and risk management. It is to be used by systems security engineering and other professionals, who are responsible for activities and tasks related to system life cycle and risk management processes within and external to the organisation.

While much of the cyber resiliency analysis in the publication uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) framework, organisations are not constrained to use only the MITRE ATT&CK framework but can use other frameworks too.

Useful concepts from the publication are described below. Readers are advised to consult the publication for detailed information and guidance on cyber resiliency.

Cyber-resilient systems are systems that have security measures or safeguards “built in” as a foundational part of the architecture and design and that display a high level of resiliency to withstand cyber-attacks, faults, and failures and continue to operate in a degraded or debilitated state to carry out the mission-essential functions of the organisation.

Cyber resiliency engineering practices are the methods, processes, modelling, and analytical techniques used to identify and analyse proposed solutions. These practices are applied in system life cycle processes so that the resultant cyber resiliency solutions are aligned with the stakeholder requirements and protection needs.

Cyber resiliency engineering framework provides constructs that include cyber resiliency goals, objectives, techniques, implementation approaches, and design principles. While these constructs are applied at the system level in the publication, they can also be applied beyond the system level to mission and business function level, organisational level and sector level. The framework is based on Cyber Resiliency Engineering Framework developed by the MITRE Corporation2,3.

Cyber resiliency goals and objectives provide a vocabulary for describing what properties and capabilities are needed. Cyber resiliency techniques, approaches, and design principles provide a vocabulary for discussing how a system can achieve its cyber resiliency goals and objectives.

Four cyber resiliency goals, namely Anticipate, Withstand, Recover and Adapt, eight cyber resiliency objectives and 14 cyber resiliency techniques are part of the cyber resiliency engineering framework.

Cyber resiliency solutions are relevant only if they have some effect on risk. Hence their primary focus is to reduce the risk by reducing the three core factors

  • the likelihood of occurrence of threat events,
  • the ability of threat events to cause harm, i.e., the likelihood of impact,
  • the extent of harm from threat events, i.e., the level of impact.

The publication describes three models, namely the risk model, threat model and consequence (impact) model for cyber resiliency. It further identifies controls from NIST SP 800-53, Rev. 5 that directly support cyber resiliency. The principle applied for associating controls with cyber resiliency is that “cyber resiliency is about ensuring continued mission operations despite the fact that an adversary has established a foothold in the organisation’s systems and cyber infrastructure”. It also provides guidance on adversary-oriented analysis for achieving cyber resiliency, specifically the perspective of protecting systems against adversarial threats using MITRE ATT&CK™ for Enterprise4 and ATT&CK™ for Industrial Control Systems (ICS)5 frameworks. Supporting perspectives are separately available as MITRE Defend6 and MITRE Engage7 frameworks.

  1. Security in the Future of Systems Engineering (FuSE), a Roadmap of Foundational Concepts, INCOSE International Symposium, July 2021. ↩︎

  2. https://www.mitre.org/news-insights/publication/cyber-resiliency-engineering-framework ↩︎

  3. https://www.mitre.org/news-insights/publication/cyber-resiliency-engineering-aid-updated-cyber-resiliency-engineering ↩︎

  4. https://attack.mitre.org/ ↩︎

  5. https://attack.mitre.org/matrices/ics/ ↩︎

  6. https://d3fend.mitre.org/ ↩︎

  7. https://engage.mitre.org/ ↩︎