Integrating Systems Engineering and Security Engineering: NIST SP 800-160

Instructor: Michael McEvilley, MITRE Corporation

The integration of security engineering and system engineering will be addressed as a challenge for both public and private sectors. A motivation for this session at ACSAC is the realization that our increased dependence on automated systems translates to increased consequence of malicious and non-malicious events. This–coupled with the increasing sophistication, capability, presence, and persistence of the adversarial threat–demands rigorous application of foundational security concepts and principles to deliver trustworthy protection capability that is effective in countering threat events, and reducing risk to that which can be tolerated and managed.

Recognizing that security concerns now exist in practically every system and these concerns span the entire system life cycle, it is appropriate that as we strive towards establishing Systems Security Engineering as a recognized engineering discipline, that we also embrace it as a speciality discipline of Systems Engineering.

Two key activities are addressing the integrating of security and systems engineering:

• INCOSE – The July 2013 INCOSE Insight publication is focused on Systems Security Engineering as a specialty of Systems Engineering.

• NIST SP 800-160, “Systems Security Engineering” to be released in CY2014, provides a definition and discussion of Systems Security Engineering as an engineering discipline and advocates its inclusion and application as part of the Systems Engineering Life Cycle Processes of IEEE 15288 “Systems and Software Engineering – System Life Cycle Processes”.