cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Flyslinger2
Community Champion

An interview with NIST's Ron Ross - post mortem of the hack by the Chinese of a Navy Contractor

Ron suggests that NIST Publication 800-160 is the foundation for getting stakeholders involved early in the SDLC to get security throughout the process.

 

I'm wrestling with this issue with my current customer.  Just last week I had to caution them on accepting product developed in Linux and the incorrect usage of accounts.  They were shocked that I would reject the delivery!  

 

The customer didn't establish the security posture, didn't audit it on delivery and the vendor should know better as well.

 

 

3 Replies
CraginS
Defender I


@Flyslinger2 wrote:

Ron suggests that NIST Publication 800-160 is the foundation for getting stakeholders involved early in the SDLC to get security throughout the process.


Every security professional should be familiar with NIST Special Publication 800-160, Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. 

AP 800-160 brings the principles of systems engineering into the security space. The seed for 800-160 was the nearly-lost Chapter 3 of NSA's Information Assurance Technical Framework (IATF) that defined Information Systems Security Engineering (ISSE). The NIST publication, however, is not just about information systems; it is about security engineering in any system. The starting point of any system design is determining the requirements for the system operation, and ensuring all known stakeholders have input to the requirements development process. 

 

In keeping with the BSIMM concept of "build it in, don't add it on," the SSE process gives us the way to figure out what to build in!

 

Historical notes: The original version of the CISSP-ISSEP concentration was based on IATF Chapter 3, and was developed specifically under an (ISC)2 contract with NSA. The earliest discussions with Dr. Ross that eventually led to the development of SP 800-160 came from a panel discussion at an ISSA chapter meeting on how to "build it in." By that time, NSA was no longer maintaining the IATF, and Chapter 3 was no longer generally available on the web. Dr. Ross realized he could generate the replacement guidance at NIST. I was present at that meeting. Also, 800-160 co-author Michael McEvilley was a colleague at my company as he worked on the publication. 

 

 

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts
TXWayne
Newcomer II

Here is a good link to a summary of what all the DoD is doing relative to supply chain security.  Some of it is good and some very misguided due to a lack of understanding the threat on the DIB side, it is not the same as what the DoD is seeing.

 

https://www.akingump.com/images/content/1/0/v2/100186/DOD-and-Other-Agencies-Seek-to-Enhance-Contrac...

AppDefects
Community Champion

Don't forget it's (USA) National Supply Chain Integrity Month. Lots of great awareness resources here:)