NIST Publishes Draft Update of Guidance on Developing Cyber-Resilient Systems

The National Institute of Standards and Technology (NIST) has released a draft version of updated guidance to help organizations improve their defenses against ransomware and other destructive cyberattacks by developing cyber resilient systems.

Organizations can implement robust perimeter defenses and adopt a defense-in-depth approach to cybersecurity, but recent attacks have shown that even sophisticated perimeter defenses can be breached. Cyber threat actors often target weak links in security such as employees, and typically use social engineering techniques in their phishing campaigns to obtain credentials to gain a foothold in an internal network. Vulnerabilities in software and operating systems are also commonly exploited to bypass perimeter defenses.

The NIST guidance document – Draft NIST Special Publication 800-160, Volume 2, Revision 1, Developing Cyber-Resilient Systems: A Systems Security Engineering Approach – advocates a departure from traditional perimeter defenses and instead requires IT systems to be made more resilient to attacks from within the network.

Security teams should assume that their perimeter defenses have already been breached and unauthorized individuals already have access to internal resources or will do at some point in the future. Safeguards and countermeasures should therefore be put in place to limit the damage that can be caused to the network and infrastructure.

According to NIST, cyber resilience is “the ability to anticipate, withstand, recover from and adapt to adverse conditions, stresses, attacks or compromises on systems that use or are enabled by cyber resources.” The aim should be to implement measures that will limit damage to mission critical IT systems and will allow them to continue to function to support business operations while an attack is remediated.

“What we want to achieve is a system that we call ‘cyber resilient’ or a system that is sufficiently resilient where it can continue to operate and support critical missions in business operations – even if it’s not in a perfect state or even in somewhat of a degraded state,” said NIST Fellow Ron Ross, who wrote the updated guidance document with assistance provided by other NIST staff and cybersecurity experts at MITRE Corp.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

The guidance document provides information on the tools, techniques, and approaches that IT security teams can adopt to improve cyber resilience, including legacy systems that are already deployed and considerations when implementing new IT systems. The guidance also provides advice on zero-trust architectures to prevent or limit lateral movement within networks.

Key aspects of the update include implementing controls to support cyber resilience and for those controls to be aligned with NIST’s Security and Privacy Controls for Information Systems and Organizations (SP 800-53, Revision 5), to create a single threat taxonomy based on the MITRE Adversarial Tactics, Techniques and Common Knowledge (ATT&CK) framework, and now includes approaches to implement cyber resiliency techniques to support SP 800-53, Revision 5 and the MITRE ATT&CK framework.

NIST is seeking comment on the draft version of the guidance until September 20, 2021, with the final version due for the publication before year end.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: