NIST pushing holistic cybersecurity process for IoT

The National Institute of Standards and Technology has released a draft document that implores the engineers of cyber-physical systems to build security into their systems at every step of the process.

The National Institute of Standards and Technology has released a draft document imploring the engineers of internet-connected technology to build security into their systems at every step of the process.

NIST Special Publication 800-160 covers everything from smartphones to industrial control systems, intended for anyone who designs, develops, builds, implements, organizes or sustains something related to the Internet of Things — or what the agency calls “cyber-physical systems.”

“This one is unique, it is special because it addresses the fundamental things that they need to do to build security into these systems from the start,” said NIST Fellow Ron Ross in an interview with FedScoop at the Public Sector Innovation Summit. “It’s a different approach. It doesn’t come at the security from the bottom-up, it comes at it from the top down. That’s the number one priority because if we do that right, everything else falls into place.”

The new draft, released this week, builds on top of the first version of the document by integrating the international ISO/IEC/IEEE Standard 15288 for Systems and Software Engineering, approaching cybersecurity in the same way engineers approach security for physical infrastructure, such as bridges or buildings.


The document’s ultimate objective is adequately protecting infrastructure through reducing a system’s susceptibility to adverse consequences—all in the context of an organization’s tolerance for risk.

“The systems security engineering considerations in NIST SP 800-160 give organizations the capability to strengthen their systems against cyberattacks, limit the damage from those attacks if they occur, and make their systems survivable,” Ross said.

Robert Bigman, former chief information security officer at the CIA, thinks the value of the 300-page draft is in its approach to building systems that organizations and users can trust.

“The key to reducing the risk to our critical infrastructure is to build ‘trustable‘ systems on a foundation of systematic and accepted engineering principles,” Bigman said in a release.

The draft version will be open for comment until July 1, which another draft version expected to be released later this year.


You can view NIST 800-160 on the agency’s website.

Contact the reporter on this story via email at, or follow him on Twitter at @gregotto. His OTR and PGP info can be found hereSubscribe to the Daily Scoop for stories like this in your inbox every morning by signing up here:

Latest Podcasts