Cyber Resiliency Engineering: Final Public Draft of NIST SP 800-160 Vol. 2 is Available for Comment


NIST is seeking comments on the Final Public Draft of NIST Special Publication (SP) 800-160 Volume 2Developing Cyber Resilient Systems: A Systems Security Engineering Approach.

The public comment period closes November 1, 2019.  We encourage you to use the comment template provided when submitting comments. See the publication details link below for a copy of the document, comment template, and instructions for submitting comments.


“SCADA & ICS Cybersecurity Workshops”

Draft NIST SP 800-160, Volume 2 presents the cyber resiliency engineering framework (conceptual framework) for understanding and applying cyber resiliency, a concept of use for the conceptual framework, and specific engineering considerations for implementing cyber resiliency in the system life cycle. Building off the conceptual framework, this publication also identifies considerations for determining which cyber resiliency constructs are most relevant to a system-of-interest and a tailorable cyber resiliency analysis process to apply the selected cyber resiliency concepts, constructs, and practices to a system. The cyber resiliency analysis is intended to determine whether the cyber resiliency properties and behaviors of a system-of-interest, wherever it is in the life cycle, are sufficient for the organization using that system to meet its mission assurance, business continuity, or other security requirements—in a threat environment that includes the advanced persistent threat (APT).

This publication is designed for use in conjunction with NIST SP 800-160 Volume 1, “Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems” and NIST SP 800-37, “Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy.” Application of the principles in this publication, in combination with the system life cycle processes in SP 800-160 Volume 1 and the risk management methodology in SP 800-37, can be viewed as a handbook for achieving the identified cyber resiliency outcomes. Guided and informed by stakeholder protection needs, mission assurance needs, and stakeholder concerns with cost, schedule, and performance, the cyber resiliency constructs, principles, and approach can be applied to critical systems to identify, prioritize, and implement solutions to meet the unique cyber resiliency needs of organizations.

NOTE: A call for patent claims is included on page vi of this draft.  For additional information, see the Information Technology Laboratory (ITL) Patent Policy–Inclusion of Patents in ITL Publications.

CSRC Update:

Publication details: