NATO - AEP-67
ENGINEERING FOR SYSTEM ASSURANCE IN NATO PROGRAMMES
|Publication Date:||23 October 2017|
This guidebook identifies processes, methods, techniques, activities, and tools for system assurance, using a systems engineering approach, but is not restricting to use of other equivalent and compatible processes, methods, techniques, activities and tools of Member Nations, which are not mentioned and listed here. As defined in ISO 15288, a system is a combination of interacting elements organized to achieve one or more stated purposes (missions). A system may be a system of systems or a family of systems (SoS/FoS).
This guidebook focuses on the electronic hardware (HW), firmware, and software (SW) elements that make up the system, including information storage, electronic sensor elements, information processors, and computer and communication elements. It focuses on the identification of implementable techniques, activities, and tools that can be applied to system assurance at the system and system element level.
This guidebook discusses system assurance by specifically addressing the assurance of security properties throughout the system life cycle. These properties include confidentiality, integrity, availability, authentication, accountability (including non-repudiation), and auditability. It does not address assurance for quality, safety, or dependability. However, an intelligent adversary may be able to subvert a system's functionality, quality, safety, or dependability if there is inadequate assurance of security properties.
This guidebook focuses on assurance of the entire system, not merely of specific system elements. Systems are normally composed from many elements- some commercial and some custom-with many different levels of assurance. Some elements may be "high assurance," meaning that compelling evidence is provided that the element delivers its services in a manner that satisfies certain critical properties (including compelling evidence that there are no software defects that would interfere with those properties). Developing software for high-assurance elements often relies on formal methods, which are rigorous, mathematically based techniques and tools for specifying, designing, and verifying hardware and software systems, as well as extensive testing. Some elements may be "medium assurance," meaning that the element has been designed to meet its critical properties, and that significant effort has been expended to detect and address potential failures to meet critical properties (but not to the level of a high-assurance element). The assurance of an entire system depends on some (or all) of the system elements, but assuring specific elements is insufficient-the system must be considered as a whole. System developers may leverage specific highassurance elements (so others need less assurance), design the system (e.g., by limiting privileges) so that weaknesses in one element will not harm system assurance, or use compensating processes. A systems view is vital for achieving system assurance.
The purpose of this guidebook is to provide guidance in how to build assurance into a system throughout its life cycle. This guidebook identifies and discusses systems engineering activities, processes, tools, and considerations to address system assurance. To be efficient, assurance issues must be addressed as early as possible; system assurance is often much more expensive to add to systems later in the life cycle. Assurance efforts should be commensurate with mission needs and threats (both identified and predictable).