What Are NIST Principles for Trustworthy Secure Design?

system trustworthiness featured

In today’s interconnected world, IT system trustworthiness has become an essential cornerstone for critical infrastructure’s seamless and secure functioning. As governments, enterprises, and industrial organizations rely on complex digital systems, the trustworthiness of these systems must be measured and maintained. 

The need for trust in IT systems has been magnified by the rapid adoption of emerging technologies such as artificial intelligence, the Internet of Things (IoT), and cloud computing, which have introduced new layers of complexity and vulnerability. 

Here, we discuss trustworthiness from the perspective of the National Institute of Standards and Technology (NIST), the challenges and strategies for achieving IT system trustworthiness, exploring the technologies, methodologies, and best practices that organizations can employ to safeguard their digital assets and instill confidence in their stakeholders.


What Is NIST Special Publication 800-160?

NIST Special Publication (SP) 800-160, titled “Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems,” is a publication from NIST to provide guidelines and recommendations for integrating security into the systems engineering process. 

This publication aims to help organizations and engineers design, develop, and maintain secure systems by addressing security from a holistic and multidisciplinary perspective rather than as an afterthought or an isolated concern.

NIST SP 800-160 is intended for many stakeholders, including system developers, integrators, security practitioners, and organizational decision-makers. By providing a comprehensive and structured approach to systems security engineering, this publication helps organizations improve their systems’ security, resilience, and trustworthiness.


What Are the Principles for Trustworthy Security Development?

system trustworthiness

Within NIST SP 800-160 is a list of principles that the organization deems necessary to create and maintain a “trustworthy” system. This extensive list includes the following practices and requirements:


Anomaly Detection

Anomaly detection is the capability of a given system to detect, in a timely manner, any anomalies that arise. This principle is critical for implementing a trustworthy system in which abnormalities can lead to immediate corrective action. 

Three aspects of such detection include:

  • Basis for Correctness: A model that determines how to compare correct and anomalous behaviors for the purposes of detection.
  • Data Collection: Specifically, the collection of self-awareness data, or data that relates to the health, status, testing, or behavior of that system.
  • Data Interpretations: The system must be able to interpret collected data, compare it against a correct model, and decide whether an anomaly exists. 


Clear Abstractions

Large IT systems are complex, and managing such complexity is often beyond the capabilities of human administrators and programmers. Thus, these parties must develop system “abstractions,” or interfaces that promote the system’s use, inspection, testing, and analysis. Interfaces are expected to maintain accuracy, precision, and simplicity while being sufficient to apply their design.


Commensurate Protection

Security measures are commensurate with the most significant threats that might arise from the failure of that measure. This “most significant adverse effect” is the need that defines the degree of the security measure–the more significant the adverse effect, the greater the need for a higher degree of security. 


Commensurate Response

Responses to anomalies and security issues should display an aggressiveness commensurate with the severity of that threat. Determining such aggressiveness includes considerations of effectiveness to directly address an anomaly, the effects of the response on the system, and opportunities to take secondary, failsafe actions should the original fail. 


Additionally, this factor defines two “extremes” to consider when dictating response strategy:

  • Graduated Response: The least aggressive response to a threat, one that can lead to more aggressive approaches as needed.
  • Ungraduated Response: The most aggressive action that can be taken against a threat without consideration of side effects to the system.


Commensurate Rigor

The “rigor” of a response is the conduct of the activity in providing confidence in addressing a significant adverse effect. This includes the scope, depth, and detail of the activity and how these factors help understand that activity in terms of success and side effects.


Commensurate Trustworthiness

Elements of a system are “trustworthy” so far as other elements and systems can “trust” those elements to perform reliably commensurate with the most significant adverse effects.


Compositional Trustworthiness

The design of the overarching system is considered trustworthy for each aggregate of trustworthy elements or components. This means that the emergent behavior of such systems is considered trustworthy based on the relationships of the underlying components. 


Continuous Protection

Any protection an element or component provides must be uninterrupted as long as the component is in operation. This includes two principles:

  • Trustworthy System Control: The component can protect itself against tampering, and such trustworthiness can be determined via testing. 
  • Protective Failure and Recovery: If the component should fail, it will default into a protective state.


Defense in Depth

Defensive systems and system components should be coordinated such that their shared operations prevent data loss. This includes implementing multiple lines of defense, utilizing several types of loss control, and maintaining diversity across these components.


Distributed Privilege

Components and individuals operating within a system must work together to take action against threats. Rules, conditions, and constraints must be in place such that agreement and coordination across the system are required to perform critical operations. 



System structure, behaviors, and data flow management should contain diverse controls and components to avoid system-wide failures due to common flaws. Additionally, various sets of elements and components can confound attacks through unpredictability and complexity. 


Domain Separation

Different domains of information, control, or protection are logically or physically separated so that the different security needs of these domains remain distinct, contained, and manageable. 


Hierarchical Protection

Simply put, hierarchies of trust should exist in which different components may be considered more or less trustworthy. Following this, any individual component should not need protection from more trustworthy counterparts. 


“Least” Principles

Several components and functions within a trustworthy system should follow a principle of least action–that is, a limitation on its operation that prevents unintended vulnerabilities. These include:

  • Least Functionality: A system component can accomplish its required functions and nothing else.
  • Least Persistence: Components are only available and accessible to fulfill their required operation and no more
  • Least Privilege: Components have only the privileges necessary to do their appointed task but no more
  • Least Sharing: Resources are shared between components only as minimally necessary to support operations and to as few components as possible.

      Loss Margins

      A system should operate well outside a threshold of “loss” (i.e., data breach or loss) to feasibly resist adversity without failure. This aspect of trustworthy systems includes an understanding of risk management and design such that an organization can determine this threshold and conservative operating parameters to maintain it. 


      Mediated Access

      All potential access to the system must be mediated such that there are limits on system and resource use, privilege escalation, and propagation across a system. 


      Minimal Trusted Elements

      Following “least use” principles, there should only be a minimal set of trusted system components as needed for the system’s operation. 


      Minimize Detectability

      The system, to remain trustworthy, should not be generally detectable on open networks. That means no or limited discoverability, trackability, or ability to observe system operations.


      “Protective” Principles

      There are several protective safeguards a trustworthy component must include to remain so. 

      These include:

      • Protective Defaults: The default configuration of a component should provide maximum protective effectiveness based on the operations of the element within the system.
      • Protective Failure: The failure of a component should not result in further losses such that the failure is an unacceptable loss for the system as a whole. This means avoiding single points of failure.
      • Protective Recovery: If a component fails, its recovery should not result in new vulnerabilities or continued losses.


          Reduced Complexity

          System designs are as simple as possible for operations and avoid unnecessary complexity. 



          Support of system capabilities includes using security and operational redundancies to limit single points of failure. This includes multiple data flows, backups, load balancing, etc.



          Finally, there are several criteria to ensure that the organization can verify trustworthiness. These include:

          • Self-Reliance: Components are trustworthy in and of themselves, with minimal reliance on other components to support their operations. 
          • Substantiated Trust: Judgements on component or system trustworthiness are based on testable, measurable, and observable criteria. No component should be implicitly trusted without a substantiated evaluation.
          • Trustworthy System Control: Generalized validation mechanisms (reference monitors) should be designed to determine general system trustworthiness accurately. These reference monitors can be used as validation references that must be testable.

          Support Your Overall System Control and Trustworthiness Using Continuum GRC

          Continuum GRC is a cloud platform that can take something as routine and necessary as regular vulnerability scanning and reporting under FedRAMP and make it an easy and timely part of business in the public sector. We provide risk management and compliance support for every major regulation and compliance framework on the market, including:

          • FedRAMP
          • StateRAMP
          • NIST 800-53
          • FARS NIST 800-171
          • CMMC
          • SOC 1, SOC 2
          • HIPAA
          • PCI DSS 4.0
          • IRS 1075
          • COSO SOX
          • ISO 27000 Series
          • ISO 9000 Series

          And more. We are the only FedRAMP and StateRAMP Authorized compliance and risk management solution worldwide.

          Continuum GRC is a proactive cyber security® and the only FedRAMP and StateRAMP Authorized cybersecurity audit platform worldwide. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.

          Download our company brochure.

          Continuum GRC