Improving federal cybersecurity need not depend on Congress
Another year is drawing to a close, and Congress — locked in partisan gridlock and unable to fulfill its most basic responsibilities — again has failed to update any of the nation’s cybersecurity laws.
The need for cybersecurity reform is cited repeatedly by lawmakers, IT professionals and privacy advocates, but nothing is done. According to a recent report from the Congressional Research Service, “More than 50 statutes address various aspects of cybersecurity either directly or indirectly, but there is no overarching framework legislation in place. While revisions to most of those laws have been proposed over the past few years, no major cybersecurity legislation has been enacted since 2002.”
Fortunately, you don’t have to depend on Congress to secure your systems. The National Institute of Standards and Technology, which can’t tell you what to do, can tell you how to do it. Under the Federal Information Security Management Act, NIST continues to update and expand security guidance for government and for private sector IT systems that choose to use it.
So far this year, NIST has published 10 new or updated special reports in its 800 series of computer security documents, released drafts of nine special pubs, and issued five Interagency Reports on cybersecurity.
These publications contain specs, guidelines and requirements for securing government systems and offer flexible and frequently updated information on technology-agnostic standards and best practices. Each agency must decide for itself what security features and controls to implement and how to do it, but NIST makes the information needed to do this available.
Highlights of this year’s work include:
The fourth revision of SP 800-53, the foundational catalog of security and privacy controls for federal IT systems. First published in 2005 and last updated in 2009, the latest revision is the most comprehensive to date and focuses on designing and acquiring trustworthy systems that have security built in.
The revised SP 800-124 guidelines for management of mobile device security. These sharpen the focus of the original 2008 publication, excluding laptops and low-end cell phones, to zero-in on high-end phones and tablets. It also explains security concerns inherent in mobile devices, with recommendations for centralized management technologies to address these risks.
A draft of the new guidelines for supply chain risk management in SP 800-61. With increasing government reliance on off-the-shelf hardware and software produced through a global supply chain, agencies need better understanding of possible risks. The publication gives guidance for identifying, assessing and mitigating these threats.
A new version of SP 800-40, with revised guidelines for enterprise patch management. Patching vulnerabilities is critical to maintaining security, but managing the process at the enterprise level is complex. This document describes the challenges as well as the technology available for meeting them.
Production of these documents does not ensure adequate security for government IT systems. But any agency with the will to assess and manage the risks in its systems can get the up-to-date information it needs to do its job. That’s not necessarily an easy job, but help is available.
Posted by William Jackson on Nov 22, 2013 at 11:50 AM