Cybersecurity: Legislation, new security controls on same track

A new catalog of information and security controls co-developed by the National Institute of Standards and Technology, the Defense Department and the intelligence community, along with information security legislation gaining traction in Congress, are expected to significantly improve federal cybersecurity standards, according to government security experts.

“This is a great year for standards,” said Ron Ross, senior computer scientist and information security researcher for NIST, speaking earlier this week at a government symposium in Washington, sponsored by Symantec.

Ross highlighted two NIST initiatives — one focused on information security controls, and another on managing security risks — as some of the efforts he predicted would have a big impact on federal information security this year.

The first is NIST Special Publication 800-53, released earlier this month for public comment and due to be published July 31. Ross described the probable impact of 800-53 as unprecedented and “comparable to the Goldwater-Nichols Act,” in the way that it unifies for the first time a common cross-government coordination of information security controls, similar to the way the Goldwater-Nichols Act promoted a joint approach to military commanded.

SP 800-53, titled, “Recommended Security Controls for Federal Information Systems and Organizations,” attempts to harmonize for the first time the best information assurance and security practices, and requirements, across civilian, military and intelligence agencies.

The new version of the NIST publication incorporates the DOD’s 8500-2 Information Assurance guidelines, as well as many of the guidelines contained in the National Security Control Catalog, CNSS 1253. It also provides a set of security priorities agencies should follow, reminiscent of the Consensus Audit Guidelines released in February by a coalition of public- and private-sector information security organizations.

He expected it would also have a significant impact on the private sector, by giving “contractors a unified space” to work within.

The second strategic initiative, Ross said, revolves around NIST’s Special Publication 800-39, which provides a more comprehensive approach to analyzing how agency information systems are tied to the broader mission of agencies and managing enterprise risk.

“It’s not just a system-by-system basis, but how you manage risk across the enterprise, and how it is pushed down into the enterprise,” he said.

The risk-assessment guidelines would put new focus on integrating security into the enterprise architecture of federal agency systems, improving reliability, and making business owners and program managers, not just IT teams, accountable for IT system performance, he said.

Meanwhile, a Senate bill introduced in April to strengthen the government’s Federal Information Security Management Act, continues to gain traction in Congress and should promote further security improvements, said Erik Hopkins, a professional staff member working on the Senate Committee Homeland Security and Governmental Affairs Committee.

“The existing law is just a framework; it’s a governance structure. But the problem was no one really owned the systems,” Hopkins said.

The bill, the 2009 U.S. Information and Communications Enhancement Act, would ask agencies to actively monitor and fix security gaps in computer systems, and make agency officials more accountable for IT security matters.

Additional resources to address cybersecurity threats are coming National Security Agency, said Tony Sager, chief of Vulnerability Analysis and Operations Group, Information Assurance Directorate, NSA.

NSA has been working more closely with the Defense Information Systems Agency, he said, to tackle common threats.

And despite historical differences in needs and requirements, “What we found is, if you get enough security people in the room, you’ll reach 90 percent agreement of how to address a problem in a short time,” he said. “If you have differences, manage them separately and put them into appendices.”

“Standardization doesn’t have to mean identical, and it doesn’t equate to static,” he said.