NIST targets APTs with resilience strategies

From the Office of Personnel Management data breach to the Russian hacking of the 2016 elections, cyberattacks from hostile nation-states, criminal and terrorist groups and rogue individuals are becoming more frequent. The National Institute of Standards and Technology’s most recent draft publication aims to help organizations address vulnerabilities and create more “defensible and survivable systems.”

“Systems Security Engineering: Cyber Resiliency Considerations for the Engineering of Trustworthy Secure Systems” provides guidance on addressing advanced persistent threats that target IT infrastructure to impede critical aspects of an organization's mission. It is applicable to new systems, but also addresses engineering considerations when improving resiliency in legacy systems.

NIST defines cyber resilience as "the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources regardless of the source."

The publication breaks down elements of cyber resiliency to provide a conceptual framework of goals, objectives, techniques and design principles.

By creating a structured understanding of the set of systems engineering needs and tasks, the draft document seeks to guide development of “trustworthy secure systems that are fully capable of supporting critical missions and business operations while protecting stakeholder assets, and to do so with a level of assurance that is consistent with the risk tolerance of those stakeholders,” NIST fellow and lead author Ron Ross wrote in the publication's forward.  

The publication can be viewed as a handbook, and organizations can use some or all of the cyber resiliency principles described and apply them to their own technical, operational and threat environments, NIST officials said.

To specifically target the cyber resiliency threat, organizations should:  

  1. Focus on the mission or business needs that are critical to success.
  2. Focus on the effects of advanced persistent threats to produce systems that can anticipate, withstand, recover and adapt to different conditions and stresses.
  3. Assume the adversary will compromise or breach the system or organization to target flaws in operational environments and supply chains.
  4. Assume the adversary will be able to maintain a presence in the system or organization, with some threats more difficult to eradicate over time.

To help organizations build cyber resiliency into system life cycle processes, the guide includes  sections on implementation, integration, verification, transition, validation, operation, maintenance and disposal.

Public comments for the draft cyber resiliency document are due on May 18.

About the Author

Sara Friedman is a reporter/producer for GCN, covering cloud, cybersecurity and a wide range of other public-sector IT topics.

Before joining GCN, Friedman was a reporter for Gambling Compliance, where she covered state issues related to casinos, lotteries and fantasy sports. She has also written for Communications Daily and Washington Internet Daily on state telecom and cloud computing. Friedman is a graduate of Ithaca College, where she studied journalism, politics and international communications.

Friedman can be contacted at [email protected] or follow her on Twitter @SaraEFriedman.

Click here for previous articles by Friedman.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected