Patterns for Integrating NIST 800-53 Controls into Security Assurance Cases

Viger, Torin; Diemert, Simon; Foster, Olivia

doi:10.1007/978-3-031-40953-0_14

Torin Viger¹²,
Simon Diemert¹³ &
Olivia Foster¹³

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14182))

Included in the following conference series:

International Conference on Computer Safety, Reliability, and Security

716 Accesses

Abstract

It is sure that critical systems are appropriately secure and protected against malicious threats. In this paper, we present a novel pattern for Security Assurance Cases that integrates security controls from the NIST-800-53 cyber security standard into a comprehensive argument about system security. Our framework uses Eliminative Argumentation to increase confidence that these controls have been applied correctly by explicitly considering and addressing doubts in the argument.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 59.99; Price excludes VAT (USA)

Softcover Book: USD 79.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

ISO 26262 - Road vehicles—Functional safety. Standard, International Organization for Standardization, Switzerland (2018)
Google Scholar
NIST 800-53 - Security and Privacy Controls for Information Systems and Organizations. Special Publication SP 800-53, National Institute of Standards and Technology (2020)
Google Scholar
ISO 21434 - Road vehicles - Cybersecurity engineering. Standard, International Organization for Standardization (2021)
Google Scholar
Socrates - Assurance Case Editor (2023). https://safetycasepro.com
Bloomfield, R., Bishop, P., Jones, C., Froome, P.: ASCAD – Adelard safety case development manual. Technical report, Adelard (1998)
Google Scholar
Burton, S., Gauerhof, L., Heinzemann, C.: Making the case for safety of machine learning in highly automated driving. In: Tonetta, S., Schoitsch, E., Bitsch, F. (eds.) SAFECOMP 2017. LNCS, vol. 10489, pp. 5–16. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66284-8_1
Chapter Google Scholar
Diemert, S., Joyce, J.: Eliminative argumentation for arguing system safety - a practitioner’s experience. In: 2020 IEEE International Systems Conference (SysCon), pp. 1–7 (2020). iSSN 2472-9647
Google Scholar
Diemert, S., Goodenough, J., Joyce, J., Weinstock, C.: Incremental assurance through eliminative argumentation. J. Syst. Saf. 58(1), 7–15 (2023)
Article Google Scholar
Goodenough, J.B., Weinstock, C.B., Klein, A.Z.: Eliminative argumentation: a basis for arguing confidence in system properties. Technical report, Carnegie Mellon University-Software Engineering Institute Pittsburgh United (2015)
Google Scholar
ACW Group: Assurance Case Guidance - Challenges, Common Issues and Good Practice (Version 1.1). Technical report, Safety Critical Systems Club (2021)
Google Scholar
ACW Group: Goal Structuring Notation Community Standard (Version 3). Technical report, Safety Critical Systems Club (2021)
Google Scholar
Holloway, C.M.: The Friendly Argument Notation (FAN). Technical report (2020). https://ntrs.nasa.gov/citations/20205002931, nTRS Author Affiliations: Langley Research Center NTRS Document ID: 20205002931 NTRS Research Center: Langley Research Center (LaRC)
Jahan, S., et al.: MAPE-K/MAPE-SAC: an interaction framework for adaptive systems with security assurance cases. Futur. Gener. Comput. Syst. 109, 197–209 (2020)
Article Google Scholar
Kelly, T.P.: Arguing safety - a systematic approach to safety case management. Ph.D. thesis, University of York (1998)
Google Scholar
Muckin, M., Fitch, S.C.: A Threat-Driven Approach to Cyber Security. Lockheed Martin Corporation (2014)
Google Scholar
Toulmin, S.E.: The Uses of Argument, 2nd edn. Cambridge University Press, Cambridge (2003). https://doi.org/10.1017/CBO9780511840005
Book Google Scholar
Wikipedia: Autonomous cargo ship—Wikipedia, the free encyclopedia (2023). https://en.wikipedia.org/wiki/Autonomous_cargo_ship. Accessed 29 Apr 2023

Download references

Author information

Authors and Affiliations

University of Toronto, Toronto, Canada
Torin Viger
Critical Systems Labs, Inc., Vancouver, Canada
Simon Diemert & Olivia Foster

Authors

Torin Viger
View author publications
You can also search for this author in PubMed Google Scholar
Simon Diemert
View author publications
You can also search for this author in PubMed Google Scholar
Olivia Foster
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Torin Viger .

Editor information

Editors and Affiliations

University of Toulouse, Toulouse, France
Jérémie Guiochet
Fondazione Bruno Kessler, Trento, Italy
Stefano Tonetta
Austrian Institute of Technology GmbH, Vienna, Austria
Erwin Schoitsch
LAAS-CNRS, Toulouse, France
Matthieu Roy
Thales Deutschland GmbH, Ditzingen, Germany
Friedemann Bitsch

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Viger, T., Diemert, S., Foster, O. (2023). Patterns for Integrating NIST 800-53 Controls into Security Assurance Cases. In: Guiochet, J., Tonetta, S., Schoitsch, E., Roy, M., Bitsch, F. (eds) Computer Safety, Reliability, and Security. SAFECOMP 2023 Workshops. SAFECOMP 2023. Lecture Notes in Computer Science, vol 14182. Springer, Cham. https://doi.org/10.1007/978-3-031-40953-0_14

Download citation

DOI: https://doi.org/10.1007/978-3-031-40953-0_14
Published: 14 September 2023
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-40952-3
Online ISBN: 978-3-031-40953-0
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Patterns for Integrating NIST 800-53 Controls into Security Assurance Cases