Cybersecurity: Legislation, new security controls on same track

NIST, DOD, intelligence community partner to bring about standardization

A new catalog of information and security controls co-developed by the National Institute of Standards and Technology, the Defense Department and the intelligence community, along with information security legislation gaining traction in Congress, are expected to significantly improve federal cybersecurity standards, according to government security experts.

“This is a great year for standards,” said Ron Ross, senior computer scientist and information security researcher for NIST, speaking earlier this week at a government symposium in Washington, sponsored by Symantec.

Ross highlighted two NIST initiatives — one focused on information security controls, and another on managing security risks — as some of the efforts he predicted would have a big impact on federal information security this year.

The first is NIST Special Publication 800-53, released earlier this month for public comment and due to be published July 31. Ross described the probable impact of 800-53 as unprecedented and “comparable to the Goldwater-Nichols Act,” in the way that it unifies for the first time a common cross-government coordination of information security controls, similar to the way the Goldwater-Nichols Act promoted a joint approach to military commanded.

SP 800-53, titled, “Recommended Security Controls for Federal Information Systems and Organizations,” attempts to harmonize for the first time the best information assurance and security practices, and requirements, across civilian, military and intelligence agencies.

The new version of the NIST publication incorporates the DOD’s 8500-2 Information Assurance guidelines, as well as many of the guidelines contained in the National Security Control Catalog, CNSS 1253. It also provides a set of security priorities agencies should follow, reminiscent of the Consensus Audit Guidelines released in February by a coalition of public- and private-sector information security organizations.

He expected it would also have a significant impact on the private sector, by giving “contractors a unified space” to work within.

The second strategic initiative, Ross said, revolves around NIST’s Special Publication 800-39, which provides a more comprehensive approach to analyzing how agency information systems are tied to the broader mission of agencies and managing enterprise risk.

“It’s not just a system-by-system basis, but how you manage risk across the enterprise, and how it is pushed down into the enterprise,” he said.

The risk-assessment guidelines would put new focus on integrating security into the enterprise architecture of federal agency systems, improving reliability, and making business owners and program managers, not just IT teams, accountable for IT system performance, he said.

Meanwhile, a Senate bill introduced in April to strengthen the government’s Federal Information Security Management Act, continues to gain traction in Congress and should promote further security improvements, said Erik Hopkins, a professional staff member working on the Senate Committee Homeland Security and Governmental Affairs Committee.

“The existing law is just a framework; it’s a governance structure. But the problem was no one really owned the systems,” Hopkins said.

The bill, the 2009 U.S. Information and Communications Enhancement Act, would ask agencies to actively monitor and fix security gaps in computer systems, and make agency officials more accountable for IT security matters.

Additional resources to address cybersecurity threats are coming National Security Agency, said Tony Sager, chief of Vulnerability Analysis and Operations Group, Information Assurance Directorate, NSA.

NSA has been working more closely with the Defense Information Systems Agency, he said, to tackle common threats.

And despite historical differences in needs and requirements, “What we found is, if you get enough security people in the room, you’ll reach 90 percent agreement of how to address a problem in a short time,” he said. “If you have differences, manage them separately and put them into appendices.”

“Standardization doesn’t have to mean identical, and it doesn’t equate to static,” he said.

About the Author

Wyatt Kash served as chief editor of GCN (October 2004 to August 2010) and also of Defense Systems (January 2009 to August 2010). He currently serves as Content Director and Editor at Large of 1105 Media.

The Fed 100

Read the profiles of all this year's winners.


  • Then-presidential candidate Donald Trump at a 2016 campaign event. Image: Shutterstock

    'Buy American' order puts procurement in the spotlight

    Some IT contractors are worried that the "buy American" executive order from President Trump could squeeze key innovators out of the market.

  • OMB chief Mick Mulvaney, shown here in as a member of Congress in 2013. (Photo credit Gage Skidmore/Flickr)

    White House taps old policies for new government makeover

    New guidance from OMB advises agencies to use shared services, GWACs and federal schedules for acquisition, and to leverage IT wherever possible in restructuring plans.

  • Shutterstock image (by Everett Historical): aerial of the Pentagon.

    What DOD's next CIO will have to deal with

    It could be months before the Defense Department has a new CIO, and he or she will face a host of organizational and operational challenges from Day One

  • USAF Gen. John Hyten

    General: Cyber Command needs new platform before NSA split

    U.S. Cyber Command should be elevated to a full combatant command as soon as possible, the head of Strategic Command told Congress, but it cannot be separated from the NSA until it has its own cyber platform.

  • Image from Shutterstock.

    DLA goes virtual

    The Defense Logistics Agency is in the midst of an ambitious campaign to eliminate its IT infrastructure and transition to using exclusively shared, hosted and virtual services.

  • Fed 100 logo

    The 2017 Federal 100

    The women and men who make up this year's Fed 100 are proof positive of what one person can make possibile in federal IT. Read on to learn more about each and every winner's accomplishments.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group