Shows & Panels
- The 2014 Big Picture on Cyber Security
- AFCEA Answers
- Ask the CIO
- Connected Government
- Consolidating Mission-critical Systems
- Constituent Servicing
- Continuous Monitoring: Tools and Techniques for Trustworthy Government IT
- The Data Privacy Imperative: Safeguarding Sensitive Data
- Eliminating the Pitfalls: Steps to Virtualization in Government
- Federal Executive Forum
- Federal Tech Talk
- Government Cloud Brokerage: Who, What, When, Where, Why?
- Government Mobility
- Mission-critical Apps in the Cloud
- Mobile Device Management
- The Modern Federal Threat Landscape
- The Path from Legacy Systems
- Understanding the Intersection of Customer Service and Security in the Cloud
Shows & Panels
GAO: securing information can be simplified
Thursday - 9/23/2010, 8:43pm EDT
The Government Accountability Office just put out a report on the progress of what they call "harmonizing" policies for secure and non-secure systems.
"Historically, civillian and national security-related IT systems have been governed by different sets of policies and procedures," said Gregory Wilshusen, Director of Information Security Issues at GAO. "Both sets of guidance can cover similar topics and processes such as certification and accreditation and risk assessments."
The Office of Management and Budget and the National Institutes of Standards and Technology have been responsible for setting guidelines for civilian information systems, while the Department of Defense, the intelligence community and the Committee on National Security Systems have regulated the national security information systems.
As a result, Wilhausen said, organizations that have responsibilities could not easily assess the security of other federal information systems.
Without understanding how other agencies were maintaining information security meant that reciprocity, which is agencies accepting another agencies standards, was hampered, and agencies felt the need to recertify and reaccredit costing time and money in the process.
While complete harmonization isn't possible, Wilhausen said, any progress will help to cut out the re-certification process, and helps vendors.
"Particularly contractors and IT system developers to have a more harmonized set of requirements to build to when they're developing these systems," Wilhausen said.
In 2009, agencies took a step forward by starting a task force to discern which guidances and policies are suitable for harmonization.
"What we found is that they're making progress in undertaking that effort," Wilhausen said.
NIST has lead task force, and has already published three harmonized sets of guidances. But while NIST doesn't have the authority to mandate the use of the harmonized guidance, the Committee on National Security Systems does.
"They issued an instruction guiding their members to go ahead and use the harmonized NIST guidance," Wilhausen said.
You can read GAO's full report here.