Agencies must adapt at the speed of the hackers looking to crack into their systems
Donna Dodson, chief of the National Institute of Standards and Technology's Computer Security Division, outlined important upcoming events and revisions to security-related Special Publications, along with events aimed at assisting agencies in ongoing education, planning and reporting efforts.
The SP guidance series reports are part of NIST’s ongoing FISMA Implementation Project, which develops and updates security standards to help agencies create and maintain robust information security programs and effectively manage risk. In an exclusive interview with 1105 Government Information Group Content Solutions, Dodson explained how those in the cybersecurity arena face a variant of the established Moore’s law of microchip technology (which doubles the power of integrated circuits every two years). “The power of attackers now doubles every 18 months,” she said.
NIST’s standards testing, guidelines and special events are considered crucially important to the public-sector cybersecurity arsenal to help agencies address an ever-growing array of security challenges as they emerge, she explained.
Upcoming updates and events of interest to all parties involved in cybersecurity efforts include:
* Sept. 20-22, at the NIST Campus in Gaithersburg, Md., an educational workshop is planned, “Shaping the Future of Cybersecurity Education: Engaging Americans in Securing Cyberspace.” This three-day conference will highlight the work of the National Initiative for Cybersecurity Education (NICE). NIST coordinates NICE, which is made up of cybersecurity experts from NIST along with the Homeland Security Department, Education Department, National Science Foundation, Defense Department and Office of the Director of National Intelligence. More details about this event are available online at http://csrc.nist.gov/nice/.
* Also in September, there’s a Technology Workshop planned to support the National Strategy for Trusted Identities in Cyberspace initiative. NSTIC is a NIST-supported partnership between government and industry that’s focused on improving information assurance across the Internet. NSTIC is focused on developing ways to help reduce identity theft and build a vibrant marketplace that allows people to choose among multiple identity providers — both private and public — that would issue trusted credentials to prove identity. Interested parties both in government and the private sector should follow updates at http://www.nist.gov/nstic/ to learn more about this upcoming NSTIC event.
* Oct. 31-Nov. 2, 2011, NIST will lead the 7th Annual IT Security Automation Conference at the Hyatt Regency Crystal City in Arlington, Va. This upcoming conference will include educational tracks dedicated to continuous monitoring, software assurance, network security automation, management and compliance guidelines, and updates on IT security threats. “We will be featuring not just the tools and techniques to help agencies automate, manage and better control IT environments, but also the use cases that help prove how these technological tools really work,” Dodson explained. More information is available at www.nist.gov/itl/csd/7th-annual-scap-conference.cfm.
* A new version of SP 800-30, “Risk Management Guide for Information Technology Systems,” is due to be released in September to provide newly enhanced guidelines for agency risk assessment procedures.
* In the fall, agencies can expect Revision 2 of SP 800-18, “Guide for Developing Security Plans for Federal Information Systems,” which will deliver updated security planning guidance centered on the topics of security automation and continuous monitoring.
* Revision 4 of SP 800-53, “Recommended Security Controls for Federal Information Systems and Organizations,” is due to be released late in 2011 and will deliver updated privacy controls guidance to strengthen the relationship between privacy and security in federal agency security procedures. “With the widespread use of small mobile devices in government, security and privacy issues are more critical than ever,” Dodson said. New privacy controls to be added to SP 800-53 will cover transparency, individual participation and redress, data minimization and retention, use limitations, data quality, integrity and security as well as new accountability, audit and risk management controls. Other types of controls NIST is considering adding to SP 800-53 include those involving insider threats, Web-based and application security, mobile computing, cloud computing, and industrial control systems.
* Security and performance evaluations of finalists will occur in an SHA-3 cryptographic contest. NIST has launched this contest to develop a new cryptographic hash algorithm via a public competition to augment FIPS 180-4, the Secure Hash Standard. A winning algorithm will be selected in 2012, with a revised standard planned to be ready for approval in early 2013.
* Cybersecurity-related standards for the electric Smart Grid are expected in the first quarter of 2012. NIST is heavily involved in cybersecurity standards to support the development of the electric Smart Grid. Dodson described NIST’s standards development work here as “a critical mission for us.” NIST initiated the Smart Grid Interoperability Panel under the Energy Independence and Security Act of 2007. This group, with more than 600 members, is helping define requirements for essential communication protocols and other common specifications, including security.