NIAP offering security forum

National Information Assurance Partnership

Related Links

The National Information Assurance Partnership is offering agencies and industry a forum to determine how to build security requirements into the development cycle of commercial products, something that would make it easier to secure an organization's systems enterprisewide.

In the current information technology environment, agencies trying to secure networks made up of commercial off-the-shelf hardware and software must purchase add-on products or customize the COTS products.

But adding security products after installation takes time and money. Furthermore, customization leaves the agency with a system that is no longer supported by the vendor and that will not be easy to upgrade.

The NIAP, a partnership between the National Institute of Standards and Technology and the National Security Agency, brought together security experts from government, industry and academia this week to discuss possible ways to overcome these problems.

The consensus—that there needs to be more communication on what the exact requirements are—will not immediately fix security, but work must start on developing and collecting these requirements and getting them into the development cycle, officials said.

"We can't wait for years; we've got to rapidly converge on requirements," said Stuart Katzke, senior adviser at the NIAP.

Agencies including the Federal Aviation Administration are starting to work with the NIAP to better define their security requirements, and the NIAP is looking for other target communities where the organization can serve as a catalyst, Katzke said.

The smart-card group hosted by the NIAP has had success in bringing together users and vendors, and it is being offered as a model for new working groups to address security needs in other areas.

The group demonstrated that simply developing requirements at the user level will not be enough and that a link must be made to the product vendors or there will be a disconnect between the needs and the results. For example, a financial services group testing commercial smart cards against their requirements failed almost every single one, said Ken Ayer, vice president of risk management at Visa International Inc. and chairman of the Smart Card Security Users Group.

"Almost nothing is built to specification the first time around," he said.

Featured

  • Defense
    Soldiers from the Old Guard test the second iteration of the Integrated Visual Augmentation System (IVAS) capability set during an exercise at Fort Belvoir, VA in Fall 2019. Photo by Courtney Bacon

    IVAS and the future of defense acquisition

    The Army’s Integrated Visual Augmentation System has been in the works for years, but the potentially multibillion deal could mark a paradigm shift in how the Defense Department buys and leverages technology.

  • Cybersecurity
    Deputy Secretary of Homeland Security Alejandro Mayorkas  (U.S. Coast Guard photo by Petty Officer 3rd Class Lora Ratliff)

    Mayorkas announces cyber 'sprints' on ransomware, ICS, workforce

    The Homeland Security secretary announced a series of focused efforts to address issues around ransomware, critical infrastructure and the agency's workforce that will all be launched in the coming weeks.

Stay Connected