NIAP offering security forum

National Information Assurance Partnership

Related Links

The National Information Assurance Partnership is offering agencies and industry a forum to determine how to build security requirements into the development cycle of commercial products, something that would make it easier to secure an organization's systems enterprisewide.

In the current information technology environment, agencies trying to secure networks made up of commercial off-the-shelf hardware and software must purchase add-on products or customize the COTS products.

But adding security products after installation takes time and money. Furthermore, customization leaves the agency with a system that is no longer supported by the vendor and that will not be easy to upgrade.

The NIAP, a partnership between the National Institute of Standards and Technology and the National Security Agency, brought together security experts from government, industry and academia this week to discuss possible ways to overcome these problems.

The consensus—that there needs to be more communication on what the exact requirements are—will not immediately fix security, but work must start on developing and collecting these requirements and getting them into the development cycle, officials said.

"We can't wait for years; we've got to rapidly converge on requirements," said Stuart Katzke, senior adviser at the NIAP.

Agencies including the Federal Aviation Administration are starting to work with the NIAP to better define their security requirements, and the NIAP is looking for other target communities where the organization can serve as a catalyst, Katzke said.

The smart-card group hosted by the NIAP has had success in bringing together users and vendors, and it is being offered as a model for new working groups to address security needs in other areas.

The group demonstrated that simply developing requirements at the user level will not be enough and that a link must be made to the product vendors or there will be a disconnect between the needs and the results. For example, a financial services group testing commercial smart cards against their requirements failed almost every single one, said Ken Ayer, vice president of risk management at Visa International Inc. and chairman of the Smart Card Security Users Group.

"Almost nothing is built to specification the first time around," he said.

Featured

  • IT Modernization
    shutterstock image By enzozo; photo ID: 319763930

    OMB provides key guidance for TMF proposals amid surge in submissions

    Deputy Federal CIO Maria Roat details what makes for a winning Technology Modernization Fund proposal as agencies continue to submit major IT projects for potential funding.

  • gears and money (zaozaa19/Shutterstock.com)

    Worries from a Democrat about the Biden administration and federal procurement

    Steve Kelman is concerned that the push for more spending with small disadvantaged businesses will detract from the goal of getting the best deal for agencies and taxpayers.

Stay Connected