GAO: securing information can be simplified

Thursday - 9/23/2010, 8:43pm EDT

Gregory Wilshusen, Director of Information Security Issues, GAO

Click to hear the interview

Download mp3

Your IT systems have different rules in how you have to handle them. Some handle information related to national security, and some don't. This can be confusing, but a joint task force is looking at ways to simplify things.

The Government Accountability Office just put out a report on the progress of what they call "harmonizing" policies for secure and non-secure systems.

"Historically, civillian and national security-related IT systems have been governed by different sets of policies and procedures," said Gregory Wilshusen, Director of Information Security Issues at GAO. "Both sets of guidance can cover similar topics and processes such as certification and accreditation and risk assessments."

The Office of Management and Budget and the National Institutes of Standards and Technology have been responsible for setting guidelines for civilian information systems, while the Department of Defense, the intelligence community and the Committee on National Security Systems have regulated the national security information systems.

As a result, Wilhausen said, organizations that have responsibilities could not easily assess the security of other federal information systems.

Without understanding how other agencies were maintaining information security meant that reciprocity, which is agencies accepting another agencies standards, was hampered, and agencies felt the need to recertify and reaccredit costing time and money in the process.

While complete harmonization isn't possible, Wilhausen said, any progress will help to cut out the re-certification process, and helps vendors.

"Particularly contractors and IT system developers to have a more harmonized set of requirements to build to when they're developing these systems," Wilhausen said.

In 2009, agencies took a step forward by starting a task force to discern which guidances and policies are suitable for harmonization.

"What we found is that they're making progress in undertaking that effort," Wilhausen said.

NIST has lead task force, and has already published three harmonized sets of guidances. But while NIST doesn't have the authority to mandate the use of the harmonized guidance, the Committee on National Security Systems does.

"They issued an instruction guiding their members to go ahead and use the harmonized NIST guidance," Wilhausen said.

You can read GAO's full report here.