NIST prepares due diligence standards for cybersecurity

As initiative moves into its second phase, some industry officials question whether improvements are real

The National Institute of Standards and Technology is taking new steps to help federal agencies develop a more realistic approach to cybersecurity. In collaboration with the Defense Department and the Office of the Director of National Intelligence, NIST will create a common foundation for risk management, officials said.

Ron Ross, senior computer scientist at NIST, said that because agencies cannot avoid risk, officials should approach cybersecurity by weighing the consequences of a data breach on their agency’s mission. NIST is developing a foundation of standards and guidelines to help officials find a balance between protecting information systems and achieving their agencies’ missions.

“You’re not going to have the same answer across the federal government,” Ross said at an industry event sponsored by GTSI last month. “This is all about having to think about the problem.”

For about five years, agencies have been working to comply with the security provisions of the Federal Information Security Management Act.

“FISMA is good legislation, and we’re making outstanding progress in implementing these policies,” Ross said, but now agencies have to rethink how they fulfill those provisions.

“You’ve got to deploy a sufficient set of security controls to protect every mission that the system is supporting,” Ross said. “We’ve never before had a standard of security due diligence that we’ve been able to define and hold agencies to.” Security due diligence must be the foundation for sharing information securely with other agencies, he added.

“You have to trust your partner to do the right thing,” Ross said. “You’ve got to understand the security state of not only your system but the system of your partner that you’re going to be sharing with.”

The emphasis on sharing data among agencies is still relatively new and not ingrained in agencies’ cultures, said Mark Kagan, research manager at IDC Government Insights and a former intelligence analyst at the National Security Agency.

Agencies are still working to implement the basics of information technology security, he added.

“After they share [information] with one person in another agency, they don’t have any control over it,” Kagan said.

Late this year, the national security community will issue its catalog ofsecurity controls, which will be similar to those in NIST’s Special Publication 800-53, said Sharon Ehlers, the lead for the system certification and accreditation effort.

Dale Meyerrose, ODNI’s chief information officer, and DOD CIO John Grimes initiated the effort last year. Likewise, the catalog for the national security community will suggest some revisions to NIST’s SP 800-53, which NIST would incorporate in its next release.

“We’re hoping in a year or 18 months to have one federal standard for all security controls and risk management,” Ehlers said.

About the Author

Mary Mosquera is a reporter for Federal Computer Week.


  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.