The information technology age, through increased “mission/business-driven stakeholder needs,” has “increased dependence (on these systems) that results in consequences of major inconveniences to catastrophic loss due to disruptions, hazards, and threats within the global operating environment” (Ross, et al, 2016). Additionally, this information is often available anytime and anywhere; however, access to this information is not always obtained by authorized individuals. For a variety of reasons, bad actors, often referred to as “hackers,” seek to access information by exploiting inherent weaknesses prevalent in hardware and software. There are cyber and information technology professionals as well as supporting systems that execute the critical incident response processes that include identify, protect, detect, respond, and recover; however, these processes are executed with production systems during daily operations. It is critical that security be integrated in all aspects of they system lifecycle process that encompasses business need/strategy through lifecycle/retirement.

System engineering provides the foundation for a disciplined and structure approach to engineering trustworthy secure systems…that provide the attributes of safety, security, reliability, dependability, performance, resilience, and survivability undere a wide range of potential adversity in the form of disruptions, hazards, and threats (Ross, et al. 2016). It is important to understand two fundamental design considerations: 1) it is impossible to engineer a system that is completely impenetrable; thus, system engineering must consider risk, and 2) the business strategy and consideration of asset value will be critical in determining how to best mitigate that risk as resources are not unlimited. It is also important to understand that the systems engineering process does not only include new systems; it includes modification and evolution of systems.

One systems engineering process, associated with applications development, that has been evolving over recent years is known as DevSecOps (Development, Security, and Operations), which is also sometimes identified as SecDevOps. DevSecOps, which evolved from DevOps (integration of software development and operations), adds the security considerations into the development as a complete lifecycle process and considers evolving technologies inclusive of cloud computing. The National Institute of Standards and Technology, NIST (n.d.) identified several values for DevSecOps, some of which include reducing vulnerabilities, malicious code, and other security concerns; mitigates the potential impact of vulnerability throughout the application lifecycle; and address root causes of vulnerabilities to prevent recurrences. NIST published and released a draft special publication, NIST.SP.800-204C, that begins discussing the implementation of DevSecOps for a microservices-based application with service mesh.  Chandramouli (2021) discusses the DevSecOps lifecycle in terms of Continuous Integration, Continuous Delivery, and Continuous Deployment (CI/CD) pipelines.

Regardless, the DevSecOps is just one framework that highlights the criticality of system engineering to overall systems security. Ross et al (2016) identified that it is critical to consider “system security across every activity…and failure to address the complexity issue in this manner will continue to leave the Nation susceptible to the consequences of an increasingly pervasive set f disruptions, hazards and threats with potential for causing serious, sever, or even catastrophic consequences.

Chandramouli, R., (2021, September). Implementation of DevSecOps for a Microserrvices-based Application with Service Mesh (draft). Retrieved November 21, 2021, from  https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-204C-draft.pdf.

National Institute of Standards and Technology. (n.d.). DevSecOps: CSRC. CSRC. Retrieved November 20, 2021, from https://csrc.nist.gov/Projects/DevSecOps.

Ross, R., McEvilley, M., & Oren, J. C. (2016, November). Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. Archived nist technical series publication. Retrieved November 20, 2021, from https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-160.pdf.