NIST SP 800-160

United States

vVol 1 Rev 1

11 domains

49 controls

Systems Security Engineering

Verified

Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.

Framework Domains (11)

Agreement and Organisational Project Enabling Processes

1 controls

Controls in the Agreement and Organisational Project Enabling Processes domain of NIST SP 800-160 — 1 controls
Code	Title	Description
SE-BC	Business or Mission Analysis	Define the problem space, mission needs, stakeholders, and constraints that drive the engineering of a trustworthy secur...

Assurance

2 controls

Controls in the Assurance domain of NIST SP 800-160 — 2 controls
Code	Title	Description
SE-AC	Assurance Case Development	Develop and maintain an assurance case that argues, with evidence, that the system possesses claimed security properties...
SE-IA	Information Assurance and Security Engineering Trade-offs	Document trade-offs among security objectives, system performance, cost, and schedule, ensuring decisions are informed a...

Cross-cutting

1 controls

Controls in the Cross-cutting domain of NIST SP 800-160 — 1 controls
Code	Title	Description
SE-HF	Human Factors in Secure Systems Engineering	Address human factors during engineering, including usability of security controls, error tolerance, and operator worklo...

NIST SP 800-160: Access Control

5 controls

Logical and physical access controls (NIST SP 800-160)

Controls in the NIST SP 800-160: Access Control domain of NIST SP 800-160 — 5 controls
Code	Title	Description
SP800-160-TM-CONFIG	Configuration Management Process	Manage and control system elements and configurations over the life cycle, preserving security-relevant configuration in...
SP800-160-TM-DECISION	Decision Management Process	Provide a structured framework for selecting a course of action among alternatives, accounting for security implications...
SP800-160-TM-INFO	Information Management Process	Generate, obtain, manage, and protect designated information, including security-relevant information, throughout the li...
SP800-160-TM-MEASURE	Measurement Process	Collect, analyze, and report data, including security measures, to support effective management and demonstrate product...
SP800-160-TM-RISK	Risk Management Process	Identify, analyze, treat, and monitor risks continually, including security risks to the system and its assets.

NIST SP 800-160: Asset Management

5 controls

Information asset management (NIST SP 800-160)

Controls in the NIST SP 800-160: Asset Management domain of NIST SP 800-160 — 5 controls
Code	Title	Description
SP800-160-OPE-HR	Human Resource Management Process	Provide the organization with necessary skilled and security-competent human resources and maintain their competencies.
SP800-160-OPE-KM	Knowledge Management Process	Create the capability and assets to reuse knowledge, including security knowledge, across the organization.
SP800-160-OPE-QM	Quality Management Process	Assure that products, services, and processes, including their security characteristics, meet organizational quality obj...
SP800-160-TM-ASSESS	Project Assessment and Control Process	Assess whether plans are aligned and feasible, and direct execution to meet objectives including security objectives.
SP800-160-TM-PLAN	Project Planning Process	Produce and coordinate effective and workable project plans that incorporate security activities and resources.

NIST SP 800-160: Communications Security

3 controls

Network and communications security (NIST SP 800-160)

Controls in the NIST SP 800-160: Communications Security domain of NIST SP 800-160 — 3 controls
Code	Title	Description
SP800-160-TE-DISPOSAL	Disposal Process	End the existence of a system element or system, securely handling data sanitization and residual security risks.
SP800-160-TE-MAINTAIN	Maintenance Process	Sustain the capability of the system to provide a secure service, including security patching and configuration control.
SP800-160-TE-OPERATE	Operation Process	Use the system to deliver its services, including sustaining secure operation and managing operational security risks.

NIST SP 800-160: Cryptography

5 controls

Cryptographic controls (NIST SP 800-160)

Controls in the NIST SP 800-160: Cryptography domain of NIST SP 800-160 — 5 controls
Code	Title	Description
SP800-160-TE-ARCH	Architecture Definition Process	Generate system architecture alternatives and select an architecture that frames security concerns and protection capabi...
SP800-160-TE-DESIGN	Design Definition Process	Provide sufficient detailed data and information about the system and its elements to enable secure implementation.
SP800-160-TE-STAKE	Stakeholder Needs and Requirements Definition Process	Define stakeholder protection needs and security requirements that the system must satisfy in its operational environmen...
SP800-160-TE-SYSREQ	System Requirements Definition Process	Transform stakeholder protection needs into a technical view of security requirements for the system.
SP800-160-TM-QA	Quality Assurance Process	Assure the effective application of the organization's quality and security processes to the project.

NIST SP 800-160: Information Security Policies

5 controls

Organizational information security policies (NIST SP 800-160)

Controls in the NIST SP 800-160: Information Security Policies domain of NIST SP 800-160 — 5 controls
Code	Title	Description
SP800-160-AGR-ACQ	Acquisition Process	Obtain a product or service in accordance with the acquirer's security requirements, including expressing security needs...
SP800-160-AGR-SUP	Supply Process	Provide an acquirer with a product or service that meets agreed security requirements.
SP800-160-OPE-INFRA	Infrastructure Management Process	Provide and maintain the secure infrastructure and services needed to support the organization and projects.
SP800-160-OPE-LCM	Life Cycle Model Management Process	Define, maintain, and assure the availability of policies, processes, models, and procedures, including their security a...
SP800-160-OPE-PORTFOLIO	Portfolio Management Process	Initiate, sustain, and direct projects and ensure the necessary investment, including security investment, to meet organ...

NIST SP 800-160: Operations Security

6 controls

Secure operations and monitoring (NIST SP 800-160)

Controls in the NIST SP 800-160: Operations Security domain of NIST SP 800-160 — 6 controls
Code	Title	Description
SP800-160-TE-ANALYSIS	System Analysis Process	Provide a rigorous basis of data and information, including security analyses, for technical understanding and decision...
SP800-160-TE-IMPL	Implementation Process	Realize a specified system element, incorporating secure development and supply chain considerations.
SP800-160-TE-INTEG	Integration Process	Synthesize a set of system elements into a realized system that satisfies security requirements and architecture.
SP800-160-TE-TRANS	Transition Process	Establish a capability for the system to provide services, including security services, in the operational environment.
SP800-160-TE-VALIDATE	Validation Process	Provide objective evidence that the system, when in use, fulfills its stakeholder protection needs in the intended envir...
SP800-160-TE-VERIFY	Verification Process	Provide objective evidence that the system fulfills its specified security requirements and characteristics.

Technical Management Processes

3 controls

Controls in the Technical Management Processes domain of NIST SP 800-160 — 3 controls
Code	Title	Description
SE-CM	Configuration Management Process	Establish configuration management to identify, control, and account for the configuration of system elements that influ...
SE-QA	Quality Assurance Process	Provide independent quality assurance over engineering activities including security engineering tasks, with corrective...
SE-RM	Risk Management Process	Manage risks across the system life cycle including identification, analysis, treatment, monitoring, and communication o...

Technical Processes

13 controls

Controls in the Technical Processes domain of NIST SP 800-160 — 13 controls
Code	Title	Description
SE-ARCH	Architecture Definition	Define a system architecture that realises required security properties through identified principles, structures, and p...
SE-DES	Design Definition	Develop a design that implements the architecture and specifies the components, interfaces, and security mechanisms requ...
SE-DIS	Disposal	Dispose of the system and its data securely, ensuring that residual information cannot be recovered and that dependencie...
SE-IMP	Implementation	Implement the system in accordance with design and architecture using secure development practices that protect against...
SE-INT	Integration	Integrate system elements and verify that security properties hold across interfaces and that integration does not intro...
SE-MNT	Maintenance	Maintain the system to sustain security properties through patching, configuration management, and corrective and adapti...
SE-OP	Operation	Operate the system under defined security policies, monitor security state, and respond to events that may affect trustw...
SE-SA	System Analysis	Perform analyses including security, dependability, and assurance analyses to evaluate design alternatives, trade-offs,...
SE-SN	Stakeholder Needs and Requirements Definition	Elicit, analyse, and document stakeholder needs and translate them into validated stakeholder requirements that capture...
SE-SR	System Requirements Definition	Transform stakeholder requirements into system requirements that specify the protections, properties, and behaviours nec...
SE-TR	Transition	Transition the system from development to operation with secure deployment, training, and handover, ensuring security pr...
SE-VAL	Validation	Provide objective evidence that the system, when deployed in its operational environment, satisfies stakeholder needs in...
SE-VER	Verification	Confirm that the system meets specified security requirements through inspection, analysis, demonstration, and testing.

Maps to 1 other framework

49 total controls

NIST SP 800-53 Rev 5

29 source controls mapped|16 target controls covered

59%

Compare NIST SP 800-160 with NIST SP 800-53 Rev 5

Frequently Asked Questions

What is NIST SP 800-160?

NIST SP 800-160 is a compliance framework from United States with 11 domains and 49 controls. Systems Security Engineering It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.

How many controls does NIST SP 800-160 have?

NIST SP 800-160 has 49 controls organised across 11 domains. The largest domains are Technical Processes (13 controls), NIST SP 800-160: Operations Security (6 controls), NIST SP 800-160: Access Control (5 controls). Each control defines specific requirements that organisations must implement to achieve compliance.

What frameworks does NIST SP 800-160 map to?

NIST SP 800-160 maps to 1 other compliance frameworks. The top mapping partners are NIST SP 800-53 Rev 5 (59% coverage). Use our comparison tool to explore control-level mappings between frameworks.

How do I get started with NIST SP 800-160 compliance?

Start your NIST SP 800-160 compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about NIST SP 800-160 requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 49 controls and track your progress.

Start Your Compliance Journey

Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 704 frameworks.

Get Started Free →

Free forever — no credit card required