SA-24 Design For Cyber Resiliency

Baselines

Guidance

Cyber resiliency is critical to ensuring the survivability of mission critical systems and high value assets. Cyber resiliency focuses on limiting the damage from adversity or the conditions that can cause a loss of assets. Damage can affect: (1) organizations (e.g., loss of reputation, increased existential risk); (2) missions or business functions (e.g., decreased capability to complete current missions and to accomplish future missions); (3) security (e.g., decreased capability to achieve security objectives or to prevent, detect, and respond to cyber incidents); (4) systems (e.g., unauthorized use of system resources or decreased capability to meet system requirements); or (5) specific system elements (e.g., physical destruction; corruption, modification, or fabrication of information).

Cyber resiliency goals are intended to help organizations maintain a state of informed preparedness for adversity, continue essential mission or business functions despite adversity, restore mission or business functions during and after adversity, and modify mission or business functions and their supporting capabilities in response to predicted changes in technical, operational, or threat environments.

NIST SP 800-160, Volume 2 provides additional information on the Cyber Resiliency Engineering Framework to include detailed descriptions of cyber resiliency goals, objectives, techniques, implementation approaches, and design principles. NIST SP 800-160, Vol 1 provides additional information on achieving cyber resiliency as an emergent property of an engineered system.

References 4

• OMB A-130 Office of Management and Budget Memorandum Circular A-130, *Managing Information as a Strategic Resource* , July 2016.
• SP 800-30 Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1.
• SP 800-160-1 Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018.
• SP 800-160-2 Ross RS, Pillitteri VY, Graubart R, Bodeau D, McQuaid R (2019) Developing Cyber Resilient Systems: A Systems Security Engineering Approach. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 2.

Related controls 65

• CA-07 Continuous Monitoring L M H P
• CP-02 Contingency Plan L M H P
• CP-04 Contingency Plan Testing L M H P
• CP-09 System Backup L M H P
• CP-10 System Recovery and Reconstitution L M H P
• CP-11 Alternate Communications Protocols L M H P
• CP-12 Safe Mode L M H P
• CP-13 Alternative Security Mechanisms L M H P
• IA-10 Adaptive Authentication L M H P
• IR-04 Incident Handling L M H P
• IR-05 Incident Monitoring L M H P
• PE-11 Emergency Power L M H P
• PE-17 Alternate Work Site L M H P
• PL-08 Security and Privacy Architectures L M H P
• PM-07 Enterprise Architecture L M H P
• PM-16 Threat Awareness Program L M H P
• PM-30 Supply Chain Risk Management Strategy L M H P
• PM-31 Continuous Monitoring Strategy L M H P
• RA-03 Risk Assessment L M H P
• RA-05 Vulnerability Monitoring and Scanning L M H P
• RA-09 Criticality Analysis L M H P
• RA-10 Threat Hunting L M H P
• SA-03 System Development Life Cycle L M H P
• SA-08 Security and Privacy Engineering Principles L M H P
• SA-09 External System Services L M H P
• SA-17 Developer Security and Privacy Architecture and Design L M H P
• SC-03 Security Function Isolation L M H P
• SC-05 Denial-of-service Protection L M H P
• SC-07 Boundary Protection L M H P
• SC-10 Network Disconnect L M H P
• SC-11 Trusted Path L M H P
• SC-29 Heterogeneity L M H P
• SC-30 Concealment and Misdirection L M H P
• SC-34 Non-modifiable Executable Programs L M H P
• SC-35 External Malicious Code Identification L M H P
• SC-36 Distributed Processing and Storage L M H P
• SC-37 Out-of-band Channels L M H P
• SC-39 Process Isolation L M H P
• SC-44 Detonation Chambers L M H P
• SC-47 Alternate Communications Paths L M H P
• SC-48 Sensor Relocation L M H P
• SC-49 Hardware-enforced Separation and Policy Enforcement L M H P
• SC-50 Software-enforced Separation and Policy Enforcement L M H P
• SC-51 Hardware-based Protection L M H P
• SI-03 Malicious Code Protection L M H P
• SI-04 System Monitoring L M H P
• SI-06 Security and Privacy Function Verification L M H P
• SI-07 Software, Firmware, and Information Integrity L M H P
• SI-10 Information Input Validation L M H P
• SI-14 Non-persistence L M H P
• SI-15 Information Output Filtering L M H P
• SI-16 Memory Protection L M H P
• SI-19 De-identification L M H P
• SI-20 Tainting L M H P
• SI-21 Information Refresh L M H P
• SI-22 Information Diversity L M H P
• SI-23 Information Fragmentation L M H P
• SR-03 Supply Chain Controls and Processes L M H P
• SR-04 Provenance L M H P
• SR-05 Acquisition Strategies, Tools, and Methods L M H P
• SR-06 Supplier Assessments and Reviews L M H P
• SR-07 Supply Chain Operations Security L M H P
• SR-09 Tamper Resistance and Detection L M H P
• SR-10 Inspection of Systems or Components L M H P
• SR-11 Component Authenticity L M H P