NIAP offering security forum
Agencies and industry must determine how to build security requirements into product development
National Information Assurance Partnership
The National Information Assurance Partnership is offering agencies and industry a forum to determine how to build security requirements into the development cycle of commercial products, something that would make it easier to secure an organization's systems enterprisewide.
In the current information technology environment, agencies trying to secure networks made up of commercial off-the-shelf hardware and software must purchase add-on products or customize the COTS products.
But adding security products after installation takes time and money. Furthermore, customization leaves the agency with a system that is no longer supported by the vendor and that will not be easy to upgrade.
The NIAP, a partnership between the National Institute of Standards and Technology and the National Security Agency, brought together security experts from government, industry and academia this week to discuss possible ways to overcome these problems.
The consensus—that there needs to be more communication on what the exact requirements are—will not immediately fix security, but work must start on developing and collecting these requirements and getting them into the development cycle, officials said.
"We can't wait for years; we've got to rapidly converge on requirements," said Stuart Katzke, senior adviser at the NIAP.
Agencies including the Federal Aviation Administration are starting to work with the NIAP to better define their security requirements, and the NIAP is looking for other target communities where the organization can serve as a catalyst, Katzke said.
The smart-card group hosted by the NIAP has had success in bringing together users and vendors, and it is being offered as a model for new working groups to address security needs in other areas.
The group demonstrated that simply developing requirements at the user level will not be enough and that a link must be made to the product vendors or there will be a disconnect between the needs and the results. For example, a financial services group testing commercial smart cards against their requirements failed almost every single one, said Ken Ayer, vice president of risk management at Visa International Inc. and chairman of the Smart Card Security Users Group.
"Almost nothing is built to specification the first time around," he said.
NEXT STORY: Letter to the Editor