Howard to leave HUD for NRC

The Nuclear Regulatory Commission has selected Patrick Howard, chief information security officer at the Housing and Urban Development Department, to lead its new Computer Security Office. Howard will start his new position March 17, reporting to Darren Ash, NRC’s chief information officer and deputy executive director for information services. The Computer Security Office is an organizational change that meets requirements under the Federal Information Security Management Act for an enterprise information security program. Under Howard, HUD significantly improved information security, achieving an A+ on the 2006 FISMA score card. At NRC, which had a failing grade, Howard said he plans to improve compliance and the security program. His final day at HUD will be March 14. Ash looks to Howard’s knowledge and experience in information technology security to strengthen NRC’s program. “I know that Pat will provide vision, leadership and oversight in developing, promulgating and implementing an agency IT security strategy,” Ash said in a statement today. Howard said HUD’s program has a good foundation and will be able to move forward, maintain compliance, and face challenges and new threats. Under his stewardship, HUD established a comprehensive IT security program, including a strategic plan, developed policies and procedures, and built an organization and staffed it with quality people. A lot of his success is in maturing the program and getting the most out of it, he said. “I feel good about having accomplished something that will be long-lasting and have the opportunity to kind of run itself,” he said. Howard has been active in the CISO community, advancing federal IT security initiatives. HUD will integrate the FISMA reporting tool from the Environmental Protection Agency, a shared-service provider under the Information Systems Security Line of Business, into its current software. HUD also produced best-practices documents that it hopes to share with other agencies to improve the quality of their FISMA submissions. The products are policies and procedures, templates and instructions, frequently asked questions and answers, checklists, face-to-face training presentations and feedback. The aim is to have best practices that all agencies can use and have the same quality starting point. The best practices build on IT security guidelines from the National Institute of Standards and Technology.