Systems Security Engineering: NIST SP 800-160

[This is a full day session.]

NIST SP800-160 defines Systems Security Engineering (SSE) as a specialty discipline of systems engineering and advocates for complete integration of SSE into every systems engineering activity conducted regardless of where and when in the system life cycle it is conducted. Systems security engineering draws on well-established security principles, concepts, and techniques to leverage, adapt, and supplement the relevant principles and practices of systems engineering—thus enabling delivery of trustworthy, resilient systems that satisfy stakeholder5 requirements and enforce the organizational security policies within the constraints6 and risk tolerance defined by the stakeholders.

NIST SP800-160 has the objectives: (i) to provide a comprehensive statement of the systems security engineering discipline; (ii) to foster a common mindset to deliver security for any system; (iii) to advance the field of systems security engineering so that it can be applied and studied; (iv) to demonstrate how systems security engineering processes can be effectively integrated into systems engineering processes; and (v) to serve as a basis for the development of educational and training programs, including the development of individual certifications and other professional assessment criteria.

This tutorial constitutes an application of objective (v), and will explain systems security engineering in terms of the vision behind SP800-160, in terms of what it means to be a specialty engineering discipline, and in terms of the specific systems engineering processes and the value-added SSE contributions to those processes.

Prerequisites:

• Attendees of this course should have background or knowledge of systems and software engineering processes to understand the content for this course.

Outline:

1. Introduction.

   This module (1) discusses the need for recognition of systems security engineering as a specialty discipline of systems engineering, (2) outlines various efforts to achieve that goal, and (3) provides the vision that is behind development of NIST SP 800-160.

2. System Engineering Overview

   This module provides the systems engineering context for systems security engineering, and is based on systems engineering as defined by IEEE Std 15288 – Systems and Software Engineering – System Life Cycle Processes.

   Topics: Systems engineering agreement processes, project-enabling processes, project processes, and technical processes.

3. Systems Security Engineering Overview

   This module defines systems security engineering and establishes its relationship to systems security engineering. It also discusses key fundamentals of systems security engineering and how they relate to systems engineering.

   Topics: Role of systems security engineering, protection and security, attributes of a secure system.

4. Essential SSE Contributions to SE

   This module describes the 4 design-focused contributions of SSE.

   Topics: Protection needs, design security relevance, assurance and trustworthiness, security risk management.

5. Walkthrough of Technical Processes

   This module provides a detailed walkthrough of security considerations and activities in each of the 11 systems engineering technical processes.

   Topics: Stakeholder and design requirements; architectural design; implementation and integration; verification and validation; transition, operation, maintenance, and disposal.

6. Overview of Non-Technical Processes

   This module summarizes key systems security contributions to the non-technical Agreement, Project-Enabling, Project processes.

   Topics: Acquisition, Infrastructure Management, Risk Management, Project Planning and Assessment.

7. Summary

   This module summaries the course contents and provides references for additional reading.

About the Instructor:

Michael McEvilley is a principal computer scientist in the Center for National Security at The MITRE Corporation. He has worked in development and assuring of safety- and security-critical software-intensive systems for 30 years. He is a co-author of NIST SP800-160 currently supports USAF efforts to improve the integration of systems security engineering into systems engineering processes. Michael holds a B.S. in Computer Science from Tuskegee Institute, and a M.S. in Computer Science form The George Washington University.