SYSTEMS SECURITY ENGINEERING: WHOSE JOB IS IT ANYWAY?

ABSTRACTThis article delivers a look at current and evolving policy, guidance, and standards surrounding security activities in the systems engineering lifecycle. Emphasis is placed on systems security engineering (SSE) and how application of systems engineering concepts and processes in an agile manner (agile systems engineering) throughout the lifecycle is the way to deal with the dynamic and diverse world of cyber threats to a system (Dove 2014). This paper is a follow‐on to “Response to Cyber Security Demands for Agility” (Nejib‐Beyer 2014) published in the International Council on Systems Engineering (INCOSE) INSIGHT in 2014. The focus of that research was bringing attention to cyber security and the importance of other disciplines towards contributing to secure systems. Since that time many of these domains have further developed their own standards, processes, and guidance in the area of cyber security. What we require now is a way to take these domain‐focused concepts and integrate them into and across a systems lifecycle. The best way to achieve this is as part of the systems engineering function. Designing and building secure systems requires a seamless integration of security into systems engineering processes and agile methodologies adopted to constantly revisit, reevaluate, and re‐design as part of a risk management process. The framework that will be discussed in this paper will focus on taking currently evolving guidance in SSE and breaking that down into products and tools for systems engineers to easily determine the relationship and value between SSE and systems engineering. In addition, quick reference guides will further enhance and enable successful development and integration of SSE artifacts into systems engineering artifacts. One of the companion pieces needed in the existing SSE documentation is a mapping of work products/artifacts generated during the lifecycle/technical processes and the responsible and contributing parties. Critical to the success of the new guidance, such as the National Institute of Standards and Technology (NIST) Special Publication (SP) 800‐160, Systems Security Engineering, is a clear accountability and acceptance of all disciplines on their contributions and influence towards developing a secure system. We present an SSE roles and responsibilities framework concept for consideration. The framework is an implementation tool to be used along with existing guidance in the area of SSE and systems engineering to clearly demonstrate that program protection is not the responsibility of any one person or discipline, it is the responsibility of an entire team of individuals planning, developing, deploying, operating & maintaining (O&M), and retiring a system. SSE is the “glue” that binds all of this together during the systems engineering lifecycle to enhance system security.