A Three-Headed Monster
- By David Wilson
- Apr 01, 2010
The National Institute of Standards and Technology recently revised its
guidelines regarding how government information systems are protected.
The new guidelines mesh best security practices from the private
and government sectors and will have a huge impact on the cyber
security of government networks. For the first time, there is uniformity
in how the government authorizes both its national security systems
and non-national security information systems.
For years, NIST Special Publication 800-53 only affected civilian
government agencies, such as non-national security systems.
The Department of Defense and the intelligence community each
had separate security controls—the IC uses DCID 6/3 and DOD
uses DODI 8500.2. Additionally, the three communities have had
separate certification and accreditation process standards—with
IC using DCID 6/3, DOD using DIACAP and federal civilian
using NIST 800-37.
There were information assurance professionals who were
DOD-focused and only had a defense skill set, IA professionals
in the intelligence community who only knew IC standards
and the rest of the government—the civilian agencies—abided
by NIST publications 800-53 and 800-37. These three different
security control libraries and C&A process standards created a
three-headed monster.
That’s all changing as evidenced by NIST revised 800-53 with
Revision 3, titled “Recommended Security Controls for Federal
Information Systems and Organizations.” It essentially creates
a common foundation of information security standards for all
federal IT systems, both NSS and non-NSS. These security controls
will reduce or mitigate security risks and result in a better
transfer of skill sets between the IC, DOD and civilian agencies,
as well as their support contractors.
The revision incorporates common methods, policies and
standardized management, and operational and technical security
controls. Agencies will begin to operate as one cohesive unit
using the same security language for all federal information systems
and abiding by the same standards.
In issuing the revision, NIST collaborated with the Office of
the Director of National Intelligence and DOD. Additional IC
guidance regarding the implementation of these standards is being
issued by the Committee on National Security Systems. For
example, the guidance detailing how to categorize NSS was recently
released in CNSS 1253.
The resulting new standards will improve the collective IT
security posture, improve information sharing and provide
greater protection against cyber attack. The NIST guidelines
apply to all components of an information system that process,
store or transmit federal information. The revision was developed
to achieve more secure information systems and effective
risk management within the government. The guidelines will
help the government improve information security and avoid
duplication of effort.
This reduced redundancy of effort will be achieved by new
reciprocity standards. It is not uncommon for an engineered system
or custom application to be deployed across agencies within
the government. Historically, different agencies have not been
able to fully leverage the C&A work already performed by others.
This means that when the second agency deploys the exact same
system, they traditionally re-do all the C&A work. Two hurdles
have prevented this reciprocal acceptance of work.
The first hurdle has been the use of different IA controls libraries,
but the adoption of NIST 800-53 Revision 3 controls will
eliminate this hurdle. The other challenge has been one of policy
or leadership. Formal C&A reciprocity agreements between the
agencies have consistently been sporadic, on/off agreements. In
the future, a standardized system will only need to undergo the
C&A process once, and then it can be deployed widely across
agencies or communities.
Not only will uniformity and reciprocity be the new paradigm,
but commonality also will help to mitigate the shortage of
trained information security professionals across the government
landscape. Since there is one common set of IA controls, a federal
information assurance employee or contractor could move from
agency to agency without it impeding his or her skill set. This
previously had not been the case.
While the potential benefits are interesting, there are some
additional guidance documents that still need to be published,
such as the NIST 800-53A, which will contain updated validation
procedures. These are standardized methods for validating
that federal information systems have implemented the security
controls consistent with NIST 800-53 Revision 3. Additionally,
NIST is coordinating comments for the latest version of NIST
800-37, the security authorization process guide. Updates to these
two NIST publications will provide the foundation on which the
IC and DOD can begin their transition efforts.
The next step is the release of the transition guidance documents.
DOD and the IC will announce transition plans for how
their security authorization processes will be transitioned from
the legacy controls to the new processes.
This transition process could take several years, but we’re now
headed in the right direction.
This article originally appeared in the April 2010 issue of Network-Centric Security.
About the Author
David Wilson is vice president of product management for the Xacta IA Manager at Telos.