Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Taking Measure

Just a Standard Blog

Rethinking Cybersecurity from the Inside Out

By: Ron Ross
man sitting at large screen with smaller monitor screens
Credit: Alessia Pierdomenico/

After four years of research and development, NIST has published a groundbreaking new security guideline that addresses the longstanding problem of how to engineer trustworthy, secure systems—systems that can provide continuity of capabilities, functions, services, and operations during a wide range of disruptions, threats, and other hazards. In fact, I think that Special Publication 800-160, Systems Security Engineering, is the most important publication that I have been associated with in my two decades of service with NIST.

I want to share what led me to this conclusion.

The Current Landscape

The United States, and every other industrialized nation, is experiencing explosive growth in information technology. These technological innovations have given us access to computing and communications capabilities unparalleled in the history of mankind.

These rapid advancements, and the dramatic growth in consumer demand for them, are occurring alongside a revolutionary convergence of cyber and physical systems, or cyber-physical systems (CPS). The worldwide distribution of these technologies has resulted in a highly complex information technology infrastructure of systems and networks that are difficult to understand and even more difficult to protect.

Today, we are spending more on cybersecurity than ever before. At the same time, we are witnessing an increasing number of successful cyberattacks by nation states, terrorists, hacktivists, and other bad actors who are stealing our intellectual property, national secrets, and private information. Unless we make some kind of radical change to the way we think about and fight these attacks, they are going to have an increasingly debilitating—and potentially disastrous—effect on the economic and national security interests of the United States.

The Basic Problem Is Simple

Our fundamental cybersecurity problem can be summed up in three words—too much complexity. There are simply too many bases—all the software, firmware, and hardware components that we rely on to run our critical infrastructure, business, and industrial systems—for us to cover as it is, and we’re adding to the number of bases all the time.

Increased complexity translates to increased attack surface—providing adversaries a limitless opportunity to exploit vulnerabilities resulting from inherent weaknesses and deficiencies in the components of the underlying systems that we have built and deployed. We can characterize this predicament as the N+1 vulnerabilities problem.

According to the Defense Science Board 2013 study done for the U.S. military, there are vulnerabilities that are known; those that are unknown; and those created by your adversaries after they have taken control of your system. Given this reality, there are vulnerabilities that we can find and fix, and a growing number of vulnerabilities that we cannot detect and therefore, remain unmitigated.

While we are making significant improvements in our reactive security measures, including intrusion detection and response capabilities, those measures fail to address the fundamental weaknesses in system architecture and design. These weaknesses can only be addressed with a holistic approach based on sound systems security engineering techniques and security design principles. This holistic approach will make our systems more penetration-resistant; capable of limiting the damage from disruptions, hazards, and threats; and sufficiently resilient so they can continue to support critical missions and business functions after they are compromised.

Engineering-Based Solutions

We have a high degree of confidence our bridges and airplanes are safe and structurally sound. We trust those technologies because we know that they were designed and built by applying the basic laws of physics, principles of mathematics, and concepts of engineering. If bridges were routinely collapsing and airplanes were frequently crashing, the first people we would call would be the scientists and engineers. They would do root-cause failure analysis, find out what went wrong, and fix the problem.

Cybersecurity efforts today are largely focused on what is commonly referred to as “cyber hygiene.” Cyber hygiene includes such activities as inventorying hardware and software assets; configuring firewalls and other commercial products; scanning for vulnerabilities; patching systems; and monitoring.

While practicing good cyber hygiene is certainly necessary, it’s not enough. This is because these activities don’t affect the basic architecture and design of the system. Even if we were to achieve perfection above the water line, we would still be leaving our most critical systems highly vulnerable due to our inability to manage and reduce the complexity of the technology.

The only way to address the N+1 vulnerabilities problem is to incorporate well-defined engineering-based security design principles at every level, from the physical to the virtual. These principles should be driven by mission and business objectives, stakeholder protection needs, and security requirements of the individual organization. While those solutions may not be appropriate in every situation, they should be available to those entities that are critical to the economic and national security interests of the United States including, for example, the electric grid, manufacturing facilities, financial institutions, transportation vehicles, medical devices, water treatment plants, and military systems.

A National Strategy Focused on Trustworthy Systems

Today, the cybersecurity threats to our government, businesses, critical infrastructure, industrial base, and people are as severe as threats of terrorism or the threats we experienced during the Cold War.

Overcoming these threats will require a significant investment of resources and the involvement of government, industry, and the academic community. It will take a concerted effort on a level we haven’t seen since President Kennedy dared us to do the impossible and put a man on the moon over a half-century ago.

We can do it again, but the clock is ticking and the time is short. Creating more trustworthy, secure systems requires a holistic view of the problems, the application of concepts, principles, and best practices of science and engineering to solve those problems, and the leadership and will to do the right thing—even when such actions may not be popular.

I think that NIST Special Publication 800-160 is the first step we need to take toward securing the things that matter to us. It will be a grand challenge, but we Americans have a long history of achieving the impossible.

About the author

Ron Ross

Ron Ross is a computer scientist and Fellow at the National Institute of Standards and Technology. He specializes in cybersecurity, risk management, and systems security engineering.  Ron is a retired Army officer who, when not defending cyberspace, follows his passion for NASCAR and takes care of his adopted rescue dog, Sophie.

Related posts


I was one of your Guest at NIST's Forensics Conference I loved it very much I found NIST to quite Important Organization to our government as well as to entire Scientific community as all . This is why also a contributions of each of us as scientist has and must always be necessary , because treat that we are facing : Occurrence of Cyber crime., Must be prevent because Cyber crime can " occurs when information technology is used to commit or conceal an offense. Computer crimes include: Unauthorized access by insiders and employee misuse of Internet access privileges , Theft of propriety information, financial fraud, sabotage of data or Networks Viruses, which are the leading cause of unauthorized users gaining access to systems and networks through the internet and system penetration from outside and denial of service. For me these are gold rules that we must consider , to be able minimizing a computer crimes .
Quite honestly, this will require a huge cultural change, and one thing that I personally think is badly needed in order to help this is to implement a board certification program for software engineers, network engineers, DBAs, etc. We would never think of entrusting our health to a doctor who is not board certified and has gone through many years of training and apprenticeship. We would never consult a lawyer who is not board-certified. We would never trust an architect who is not board certified to build any structure on which our lives depend. The same goes for engineers, dentists, CPAs, etc. Until we get to the point where we, the consumers, are demanding that the software that drives our lives be designed, engineered, tested and certified by board certified professionals, I am afraid that the ideas outlined 800-160 will never be implemented in the way that they need to be. I am also afraid that will never get to the point where consumers are demanding board certification for all software engineers until a major series of catastrophic events occur where it significantly impacts the availability of these IoT systems, or it impacts their pocketbooks. Until then, don't hold your breath and hope that these ideas will be implemented on a global scale.
This is a great step forward and good work. I would have liked to see Appendix J completed as the Software Assurance aspects are very important to designing secure systems.
I would like to meet and talk to Ron Ross. Having more frameworks to try and makes us do what we don but much better, is not the answer. Changing the assymetry of cyber warfare requires a new way of thinking altogether. Think Denial-of-Attacks as the ultimate defense.
I admire the great work of Dr Ross. As Michael Sheaver pointed out above, this requires a huge cultural change. There must be a way to take advantage of this by taking advantage of existing environments such as mature IT Service Management Frameworks in place already. I suggest this be a topic of collaboration with a focus on business value for the purpose of establishing reasonable and prudent approaches. With a focus on reasonableness and prudence while keeping an eye on business value this can move forward at a more natural pace or in DoD terms ‘battle rhythm’. The Global Forum for Advanced Cyber Resilience, is interested in seeing how an organization utilizing the foundational building blocks associated with our International participants in cyber resilient IT Service Management (ITSM) can take advantage of the work to become more resilient. Our focus is on this very large and internationally recognized homogeneous domain. We are in the process of creating public and private collaborative events associated with this topic. Contact us if you are interested
Ron I am so glad that NIST has created this framework and publication. As a longtime systems engineer in high disciplined environments, I have been evangelizing and specializing in the integration of cyber as an engineering specialty since around 2001. I can observe most any quality driven systems engineering program and custom integrate RMF into the systems lifecycle at any maturity. After all, this is the spirit of RMF and what it strives to do. With this manual, it now lends validity to the effort and also gives many new ways to solve the systems security design problems. I am a believer that cyber must be introduced as an engineering problem to solve, and not reaction/service oriented as it has been in the IT shop. Keep up the good work!

I applaud NIST for all its hard work to protect our well being, the economy and national security. Excellent strategy to initially focus on incorporating well defined security-engineering principles within critical infrastructure organizations first.This approach will ensure products are designed and manufactured with robust security architectures and management capabilities. Ultimately, market demand will propel these highly secure systems into the open marketplace.

Very helpful post and great article. Thanks author your Awesome tropic and Valuable information. Truly I appreciate it.

The JS J6 DDC5I/CCD is the Requirements Manager for Joint C2 requirements. By definition, Joint C2 requirements are for National Security Systems. I was reading through NIST SP 800-160, Volume 1 when I came across the following statement:

"The considerations set forth in this publication are applicable to all federal systems other than those systems designated as national security systems as defined in 44 U.S.C., Section 3542."

Given this, can you tell me why SP 800-160 is not applicable, and where I may find systems engineering guidance that is applicable to National Security Systems? Thanks for your help.

Dear Mr. Carlson,

NIST cybersecurity authorities do not extend to national security systems. However, NIST standards and guidelines can be adopted and used voluntarily by the national security community at any time. For example, under the Joint Task Force, the DOD, Intelligence Community, and CNSS have adopted several NIST publications through individual policy directives. Thus, publications such as NIST 800-53, NIST 800-53A, NIST 800-37, NIST 800-39, and NIST 800-37 are widely used throughout the national security community. While NIST 800-160 is not a Joint Task Force publication, the national security community can use the systems security engineering guidance on a voluntary basis.

Add new comment

Enter the characters shown in the image.
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
Please be respectful when posting comments. We will post all comments without editing as long as they are appropriate for a public, family friendly website, are on topic and do not contain profanity, personal attacks, misleading or false information/accusations or promote specific commercial products, services or organizations. Comments that violate our comment policy or include links to non-government organizations/web pages will not be posted.