New guidelines push agencies to build in IT security controls upfront

Guidelines on evaluating information security at agencies soon will be revised to better address concerns about protecting personal information and to incorporate risk assessments into processes for building computer systems, said a panel of government officials on Thursday.

Comment on this article in The Forum.In December, the National Institute of Standards and Technology will release for comment an updated version of Special Publication 800-53, "Recommended Security Controls for Federal Information Systems," which will include a new appendix of controls agencies can put in place to ensure privacy. The appendix lays out guidelines for considering identifiable personal information when developing security plans for IT systems. Applications that contain Social Security numbers, for example, would incorporate stricter access controls to prevent unauthorized individuals from accessing or downloading the data.

"This will provide a metric to measure against," said Ken Mortensen, acting chief privacy and civil liberties officer with the Justice Department, during a panel discussion in Washington at the Security 2008 conference sponsored by 1105 Government Information Group. "It's critical. If security is science, privacy is art," he said, noting that it's often subject to interpretation. "We need a successful way of baking privacy into our systems." The most notorious example of a privacy breach happened in 2006, when a laptop containing the Social Security numbers of 26.5 million veterans was stolen from the Veterans Affairs Department. Had privacy controls such as encryption or appropriate authorization tools been baked in, the data would have been less vulnerable.

Another component of NIST's security updates is SP 800-39, "Managing Risk From Information Systems," which was released in draft form on April 3. The guidelines, which should be finalized within the next six months, provide a structured, but flexible, approach for managing risk when incorporating information systems into mission and business processes. It will lay out a framework for categorizing information systems in terms of risk; select, implement, and assess security controls; authorize information systems once all security controls are in place, and monitor them after a system goes online, according to Ron Ross senior computer scientist and information security researcher at NIST. The expectation is that by applying this strategy, agencies will address security risk before a computer system goes live on the network and prevent vulnerabilities from being exploited before a system has been appropriately locked down.

Both publications, in addition to SP 800-37, "Guide for the Security Certification and Accreditation of Federal Information Systems," support the Federal Enterprise Architecture, which was established in February 2002 as part of President Bush's e-government initiative to simplify and consolidate agency IT processes.

"The [certification and accreditation] process that [agencies] have grown to love is going away and will be melded into a system development life cycle and risk management process, where these components are built in from the start," Ross said. "It requires more discipline in how we build these systems and attention to detail in how they're deployed. This should have been happening from the start, but it wasn't; we talked about it, but never made it a reality until now."