Progress is slow on harmonizing government cybersecurity policies

Civilian, military and intelligence agencies have been cooperating for two years to bring their information security policies into line with each other, and the Government Accountability Office says in a new report that it is time to move beyond the basics.

“The harmonization effort has the potential to reduce duplication of effort and allow more effective implementation of information security controls across interconnected systems,” GAO wrote in its report on harmonizing IT security guidance. But, “to fully realize the benefits of the harmonized guidance, additional work remains to implement it.”

The Joint Task Force Transformation Initiative Interagency Working Group was formed in April 2009 by the National Institute of Standards and Technology, the Defense Department and the Office of the Director of National Intelligence to produce a unified information security framework, with NIST taking the lead and publishing guidance.

Three publications have been issued, but recertification of Defense Department IT systems to new common standards could take up to three years after new guidelines are released, and final development of guidelines still is a year or more off. The intelligence community estimated that implementing change in its IT systems could take three to five years from the time standards and guidance are in place. For some difficult-to-service systems, such as satellites, the current standards implemented could remain unchanged throughout their operational lives.

Related stories:

NIST releases security assessment guide

The cyber attack that awakened the Pentagon

The task force’s flexible, informal process has worked well so far, but might not be adequate for the future, GAO concluded. “Whle the task force’s approach to managing the harmonization effort may not have hindered development to date, plans for future publications have slipped, in part because of the challenges of coordinating such a cross-agency effort.”

GAO recommended that the task force adopt a more formal approach to the collaboration.

There has been a long-standing divide in oversight of government IT systems. The Federal Information Security Management Act sets general requirements, but it does not apply to systems designated as national security systems. Generally, the Office of Management and Budget develops policies and guidance and oversees FISMA compliance, and NIST is responsible for developing the technical standards.

The Committee on National Security Systems sets the policy for national systems. DOD has largely exempted itself from FISMA for non-national security systems by establishing its own Information Assurance Framework, which includes more stringent standards than FISMA.

“The variances in guidance were sufficient to cause several unintended and undesirable consequences for the federal community,” GAO wrote. “For example, both DOD and NIST had catalogs of information security controls that covered similar areas but had different formats and structures.”

This complicated oversight because the security of federal information systems could not easily be assessed and compared. And reciprocity, the mutual agreement among enterprises to accept each other’s security assessments, was hampered because of apparent differences in interpreting risk levels. Because agencies were not confident in other agencies’ certification and accreditation results, recertification and reaccreditation of systems sometimes has been required when not necessary.

The task force grew out of efforts beginning in 2006 to harmonize policies and requirements in DOD and the intelligence community. NIST was an information participant and was formally included in 2009 to lead the working group when its scope was broadened to include civilian non-national security systems covered under FISMA.

“This harmonized security guidance is expected to result in less duplication of effort and more effective implementation of controls across multiple interconnected systems,” GAO said.

To date, the task force has completed three documents, which are revisions of existing NIST Special Publications:

• SP 800-53, Revision 3, "Recommended Security Controls for Federal Information Systems and Organizations," published in August 2009.
• SP 800-37, Revision 1, "Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach," published in February.
• SP 800-53A, Revision 1, "Guide for Assessing the Security Controls in Federal Information Systems and Organizations."

Two more publications are planned. SP 800-39, Enterprise-Wide Risk Management: Organization, Mission and Information Systems View, is scheduled for publication in January, while SP 800-30, Revision 1, Guide for Conducting Risk Assessment, will appear in February.

Two additional publications are under consideration, a Guide for Information System Security Engineering, which could be released in September 2011, and a Guide for Software Application Security which could be released in November 2011.

Because it has no authority over national security systems, NIST issues the guidance and CNSS authorizes its use in national security systems.

Remaining differences between guidance in the two communities include such areas as system categorization, selection of security controls, and program management controls. Officials at NIST and CNSS told GAO that some differences could be addressed in the future but that some might remain because of the special nature of national security systems.

CNSS and NIST agreed with GAO that going forward the task force should complete plans to identify future areas for harmonization efforts and consider how key collaborative practices, such as documenting roles and responsibilities, needs, resources, and monitoring and reporting mechanisms, could help the effort.