NIST's Dream: Integrating Security Into Design

Sean Lyngaas | FCW | May 14, 2014

The National Institute of Standards and Technology hopes its new guidelines for IT security will beget a systems engineering process in which security is intrinsic to product design rather than an afterthought. The guidelines, posted May 12, offer best practices for information systems security based on international engineering standards. They are the culmination of a two-year process that co-author Ron Ross said was not reactive to specific cyber threats like Heartbleed but rather underpinned by broad security principles.

"I think every ... industry will look at this a little differently, depending on what niche they occupy," said Ross, who is a fellow in NIST's Computer Security Division. Given the Pentagon's active role in developing the guidelines, defense firms might take a particular interest in how the document is applied. NIST worked "really closely" with DOD in developing the engineering guidelines, Ross said, building on a task force formed with intelligence agencies in 2009 to standardize information security for the federal government...