Progress is slow on harmonizing government cybersecurity policies

 

Connecting state and local government leaders

A task force created to bring security policies and practices for national security and non-national security systems into line with each other as produced an initial set of common standards, but much work remains before the full benefit of the process is realized, according to the GAO.

Civilian, military and intelligence agencies have been cooperating for two years to bring their information security policies into line with each other, and the Government Accountability Office says in a new report that it is time to move beyond the basics.

“The harmonization effort has the potential to reduce duplication of effort and allow more effective implementation of information security controls across interconnected systems,” GAO wrote in its report on harmonizing IT security guidance. But, “to fully realize the benefits of the harmonized guidance, additional work remains to implement it.”

The Joint Task Force Transformation Initiative Interagency Working Group was formed in April 2009 by the National Institute of Standards and Technology, the Defense Department and the Office of the Director of National Intelligence to produce a unified information security framework, with NIST taking the lead and publishing guidance.

Three publications have been issued, but recertification of Defense Department IT systems to new common standards could take up to three years after new guidelines are released, and final development of guidelines still is a year or more off. The intelligence community estimated that implementing change in its IT systems could take three to five years from the time standards and guidance are in place. For some difficult-to-service systems, such as satellites, the current standards implemented could remain unchanged throughout their operational lives.


Related stories:

NIST releases security assessment guide

The cyber attack that awakened the Pentagon


The task force’s flexible, informal process has worked well so far, but might not be adequate for the future, GAO concluded. “Whle the task force’s approach to managing the harmonization effort may not have hindered development to date, plans for future publications have slipped, in part because of the challenges of coordinating such a cross-agency effort.”

GAO recommended that the task force adopt a more formal approach to the collaboration.

There has been a long-standing divide in oversight of government IT systems. The Federal Information Security Management Act sets general requirements, but it does not apply to systems designated as national security systems. Generally, the Office of Management and Budget develops policies and guidance and oversees FISMA compliance, and NIST is responsible for developing the technical standards.

The Committee on National Security Systems sets the policy for national systems. DOD has largely exempted itself from FISMA for non-national security systems by establishing its own Information Assurance Framework, which includes more stringent standards than FISMA.

“The variances in guidance were sufficient to cause several unintended and undesirable consequences for the federal community,” GAO wrote. “For example, both DOD and NIST had catalogs of information security controls that covered similar areas but had different formats and structures.”

This complicated oversight because the security of federal information systems could not easily be assessed and compared. And reciprocity, the mutual agreement among enterprises to accept each other’s security assessments, was hampered because of apparent differences in interpreting risk levels. Because agencies were not confident in other agencies’ certification and accreditation results, recertification and reaccreditation of systems sometimes has been required when not necessary.

The task force grew out of efforts beginning in 2006 to harmonize policies and requirements in DOD and the intelligence community. NIST was an information participant and was formally included in 2009 to lead the working group when its scope was broadened to include civilian non-national security systems covered under FISMA.

“This harmonized security guidance is expected to result in less duplication of effort and more effective implementation of controls across multiple interconnected systems,” GAO said.

To date, the task force has completed three documents, which are revisions of existing NIST Special Publications:

  • SP 800-53, Revision 3, "Recommended Security Controls for Federal Information Systems and Organizations," published in August 2009.
  • SP 800-37, Revision 1, "Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach," published in February.
  • SP 800-53A, Revision 1, "Guide for Assessing the Security Controls in Federal Information Systems and Organizations."

Two more publications are planned. SP 800-39, Enterprise-Wide Risk Management: Organization, Mission and Information Systems View, is scheduled for publication in January, while SP 800-30, Revision 1, Guide for Conducting Risk Assessment, will appear in February.

Two additional publications are under consideration, a Guide for Information System Security Engineering, which could be released in September 2011, and a Guide for Software Application Security which could be released in November 2011.

Because it has no authority over national security systems, NIST issues the guidance and CNSS authorizes its use in national security systems.

Remaining differences between guidance in the two communities include such areas as system categorization, selection of security controls, and program management controls. Officials at NIST and CNSS told GAO that some differences could be addressed in the future but that some might remain because of the special nature of national security systems.

CNSS and NIST agreed with GAO that going forward the task force should complete plans to identify future areas for harmonization efforts and consider how key collaborative practices, such as documenting roles and responsibilities, needs, resources, and monitoring and reporting mechanisms, could help the effort.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.