CAG plays complementary role on security
Prioritized list of controls doesn't replace FISMA guidance
The information technology security controls recently released as the Consensus Audit Guidelines are not intended to replace guidance for complying with federal IT security requirements. But they could complement those efforts by supplying a prioritized baseline of controls.
SIDEBAR: CAG's 20 high-priority areas
The National Institute of Standards and Technology, charged with developing standards and guidelines for complying with the Federal Information Security Management Act (FISMA), has produced a comprehensive set of recommended security controls that covers much of the same territory as CAG, which was developed by a group of government and private-sector organizations.
“We included many of the same control elements addressed in the CAG initiative,” said Ron Ross, a senior computer scientist at NIST.
NIST recently released for review its first major update of the guidelines, Special Publication 800-53, titled "Recommended Security Controls for Federal Information Systems and Organizations." When the public review for SP 800-53 ends March 27, the two documents could be more closely aligned.
“Hopefully, we will be able to cover many of the things that CAG has done,” Ross said.
He does not see the two sets of guidelines as being in competition with one another, but he warned that focusing on a small subset of threats, vulnerabilities and controls could make managers miss fundamental weaknesses in information systems.
“Security managers need to take a holistic approach to a challenging set of problems,” he said. “The controls work as an interlocking set.”
CAG does not try to offer a comprehensive set of security controls but instead is an attempt to prioritize concerns and identify tools that can provide the best returns by focusing on critical issues and low-hanging fruit. CAG cites proposed FISMA reform legislation that calls for a prioritized baseline of IT security controls that can be continuously and automatically monitored.
“This consensus document is designed to begin the process of establishing that prioritized baseline of information security measures and controls,” the guidelines state. “The consensus effort that has produced this document has identified 20 specific security controls that are viewed as essential for blocking known high-priority attacks. Fifteen of these controls can be monitored, at least in part, automatically and continuously. The consensus effort has also identified a second set of five controls that are essential but that do not appear to be able to be monitored continuously or automatically with current technology and practices.”
However, FISMA already provides for meaningful security controls, Ross said. Since the law’s passage, NIST has developed a library of standards, specifications and guidance for complying with FISMA and standardizing and improving security.
“There continues to be a notion that FISMA is all about paperwork and compliance,” he said. “FISMA is about trying to improve the quality of information security. SP 800-53 is all about specific controls with detailed guidance.”
Although he is wary of agencies focusing too narrowly when implementing security controls, Ross said CAG could be a valuable resource. “We appreciate the contribution this group is making,” he said. “We’re going to be looking to see if anything that comes out of this we can benefit from. We’re looking for any possible way to improve what we’ve done.”
The CAG team is seeking comments on its guidelines, which should be sent to email@example.com by March 25.
William Jackson is a senior writer of GCN and the author of the CyberEye blog.