Greg Otto has a new story on FedScoop about NIST and IoT security, with NIST’s 2nd edition of SP 800-160:
“This one is unique, it is special because it addresses the fundamental things that they need to do to build security into these systems from the start,” said NIST Fellow Ron Ross in an interview with FedScoop at the Public Sector Innovation Summit. “It’s a different approach. It doesn’t come at the security from the bottom-up, it comes at it from the top down. That’s the number one priority because if we do that right, everything else falls into place.”
There are MANY references to firmware in this spec!! Public comment period for this spec is now through July, so PLEASE send them firmware-centric feedback!
Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems
NIST Special Publication 800-160
Second Public Draft
Public comment period: May 4 through July 1, 2016
This publication addresses the engineering-driven actions necessary to develop more defensible and survivable systems—including the components that compose and the services that depend on those systems. It starts with and builds upon a set of well-established International Standards for systems and software engineering published by the ISO, the IEC, and the IEEE and infuses systems security engineering techniques, methods, and practices into those systems and software engineering processes. The ultimate objective is to address security issues from a stakeholder requirements and protection needs perspective and to use established engineering processes to ensure that such requirements and needs are addressed with appropriate fidelity and rigor, early and in a sustainable manner throughout the life cycle of the system.