Cybersecurity can't be a system design afterthought, emphasized a top National Security Agency official Nov. 16 during a Washington, D.C. conference panel.

"We cannot come in after the fact to build in the security requirements," said Michele Iversen, chief of information systems security engineering services at the NSA. But too often, that's exactly what ISSE staff ends up doing, she said while speaking at the "Security Conference and Exhibition."

Patching a poorly-built application can cause cost overruns, overbuilding and sometimes it simply results in a product that isn't structurally sound. Iversen's team is developing guidance that will force developers to consider what security models should to be applied for certain security levels from day one, Iversen said.

NSA is updating its information assurance technology framework with the help of the National Institute of Standards and Technology and will soon be release it as a NIST special publication, she added.

In addition, NSA is updating its internal, systems engineering handbook--which has not been revised since 1994--and making it a supplement to the upcoming NSA-NIST framework. Iversen would like to "leverage existing credible references and build that engineering guidance using NIST, using the top 20 security controls, using recognized industry leaders for building those models."

Finally, NSA is working with the Defense Department at the policy level to improve language in the DoD 5000 series so that consideration of system security would become part of critical design reviews. In addition to identifying a lead systems engineer, the update would mandate program personnel to include a systems security engineer or architect.

Related Articles:
McConnell: Secure Internet requires government role
Recovery Act websites vulnerable to cyber attack, says IG
GAO: 'Significant' cybersecurity weaknesses at NARA  
Spires: Social networks are cybersecurity problem