Evolving guidelines seek to harmonize IT security for government systems
The National Institute of Standards and Technology is capping a multiyear effort to harmonize information technology certification and accreditation across the civilian, defense and intelligence communities with a set of newly revised guidelines for securing government IT systems.
The Joint Task Force Transformation Initiative, a partnership of NIST, the Office of the Director of National Intelligence, the Defense Department and the Committee on National Security Systems, is creating a common information security framework for agencies and contractors.
NIST is charged with developing standards and specifications for compliance with the Federal Information Security Management Act, which sets requirements for managing the security of government information systems outside the national security community. DOD and the intelligence agencies have developed their own standards and processes for national security systems.
A single governmentwide set of requirements for managing IT security could make it easier for agencies to share data and cooperate with one another, states, foreign allies and the private sector. It could enable reciprocity, the acceptance of other agencies’ certification and accreditation processes without requiring recertification, and also could streamline acquisition processes and make it easier for vendors and developers to meet a single set of standards.
The first publication produced under the joint task force was Revision 3 of Special Publication 800-53, “Recommended Security Controls for Federal Information Systems and Organizations,” released in July 2009. NIST called the revised version of SP 800-53 historic because the unified security controls reflect the security requirements of both the national security community and the rest of government.
The final draft of SP 800-37, Revision 1, “Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach,” the second document in the series, was released for public comment in November and is expected to be finalized in February.
Other publications that are part of the effort include:
SP 800-39, due out midyear, will cover guidance for strategic to tactical risk management.
SP 800-53A, with assessment procedures for security controls, is due out in March.
SP 800-30, with new risk management guidelines.
In addition to harmonizing IT security standards across government, NIST also is working with the private sector to map relationships between NIST-developed security standards and guidelines and those of the International Organization for Standardization and International Electrotechnical Commission (ISO/IEC) 27001, Information Security Management System.