Shows & Panels
- Accelerate and Streamline for Better Customer Service
- Ask the CIO
- The Big Data Dilemma
- Carrying On with Continuity of Operations
- Client Virtualization Solutions
- Data Protection in a Virtual World
- Expert Voices
- Federal Executive Forum
- Federal IT Challenge
- Federal Tech Talk
- Feds in the Cloud
- Health IT: A Policy Change Agent
- Improving Healthcare Outcomes through IT Policy
- IT Innovation in the New Era of Government
- Making Dollars And Sense Out of Data Center Consolidation
- Navigating the Private Cloud
- One Step to the Cloud, Two Steps Toward Innovation
- Path to FDCCI Compliance
- Take Command of Your Mobility Initiative
Shows & Panels
NIST: Simplicity can be great cybersecurity defense
Friday - 8/26/2011, 2:43pm EDT
Federal News Radio
Simplicity can be a great defense when it comes to government technology systems. That's what The National Institute of Standards and Technology's senior fellow Ron Ross argued at a forum Wednesday about lowering the cost of government through technology.
NIST is publishing several documents to help agencies keep things simple, including risk assessment guidelines due out late next month, an updated catalog of cybersecurity threats later this fall and a systems and security guideline publication early next year.
Ross said government IT systems have become more vulnerable to cyber threats as they have become more complex. He spoke before industry and agency members at the conference, which was sponsored by the media company FedScoop.
Agencies should make security decisions based on risk because they cannot guard against every complexity, Ross said. He added that simplifying and standardizing systems can make security much easier for less money.
To do that, he said, agencies need to take a step back and look at how their technology can help them complete their missions, rather than trying to retrofit old technology for new purposes.
He called it "enterprise architecture on steroids." NIST's systems and security guidelines will help agencies take this approach to their systems, but he gave a small preview at the forum.
"Through things like cloud computing and data center consolidation, reducing complexity will give us opportunities to understand how we can deploy our safeguards and countermeasures in the best way possible," Ross said.
In the meantime, the draft risk assessment guide to be released next month should help agencies make everyday decisions on evaluating and reacting to threats. Ross said agencies trying to save money can use it to target their resources to their needs.
"We only deploy controls where we see a threat, we have a vulnerability, and there's the possibility or likelihood that that threat could actually exploit the vulnerability to bring down a critical mission or impede your operations in some way," said Ross. "That's working smart, as opposed to just working with one-size-fits-all."
The updated security control catalog will emphasize that people, as well as technology, present threats. It will include a section on insider threats, inspired by the 2010 scandal that leaked thousands of documents to the website Wikileaks. Ross said the catalog also will include information on supply chain threats; the computer worm Stuxnet, which targeted Iranian nuclear facilities; and an appendix on privacy controls.
(Copyright 2011 by Federal News Radio. All Rights Reserved.)