NIST Updates Cyber Resiliency Guidance

The National Institute of Standards and Technology has released the first revision to its flagship cyber resiliency guidance with updated controls and a single threat taxonomy. A product of the institute’s Systems Security Engineering initiative, the guidance reflects the latest cyber resiliency implementation approaches for engineers to address known hacker tactics laid out in the ATT&CK framework, FedScoop reported Thursday.

According to the newly-published guidance, the NIST Systems Security Engineering initiative seeks to address security, safety and resiliency issues from the perspective of stakeholder requirements and protection needs. To ensure that those needs are met, established engineering processes are “used across the entire system life cycle to develop more trustworthy systems.”

NIST’s updated Special Publication 800-160 Vol. 2 seeks to align cyber resilience controls with security and privacy controls for agencies and industries alike, as well as map them to MITRE’s ATT&CK threat framework.

MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world assessments of cyber attacks. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community, MITRE’s website said.

The guidance provides a cyber resiliency engineering framework, complete with a tailorable analysis, that agencies can use to determine whether any of their systems, regardless of age, are at risk of being compromised by advanced persistent threats.

Technical appendices attached to the guidance supplement the framework with, among others, background and contextual information on cyber resiliency and detailed descriptions of goals, objectives, techniques, implementation approaches and design principles.

FedScoop noted that Cyber resiliency engineers design and maintain systems that anticipate, withstand, recover from and adapt to stresses, attacks and compromises, thereby reducing risk to agencies.