Shows & Panels
Shows & Panels
- The 2014 Big Picture on Cyber Security
- AFCEA Answers
- American Readiness: Renewable Power and Efficiency Technologies
- Ask the CIO
- Building the Hybrid Cloud
- Connected Government: How to Build and Procure Network Services for the Future
- Continuing Diagnostics and Mitigation: Discussion of Progress and Next Steps
- Federal Executive Forum
- Federal News Radio's National Cyber Security Awareness Month Special Panel Discussion
- Federal Tech Talk
- The Future of Government Data Centers
- The Future of IT: How CIOs Can Enable the Service-Oriented Enterprise
- Government Perspectives on Mobility and the Cloud
- The Intersection: Where Technology Meets Transformation
- Maximizing ROI Through Data Center Consolidation
- Mitigating Insider Threats in Virtual & Cloud Environments
- Modern Mission Critical Series
- The New Generation of Database
- Reimagining the Next Generation of Government
- Targeting Advanced Threats: Proven Methods from Detection through Remediation
- Transformative Technology: Desktop Virtualization in Government
- The Truth About IT Opex and Software Defined Networking
- Air Traffic Management Transformation Report
- Cloud First Report
- General Dynamics IT Enterprise Center
- Gov Cloud Minute
- Government in Technology Series
- Homeland Security Cybersecurity Market Report
- National Cybersecurity Awareness Month
- Technology Insights
- The Cyber Security Report
- The Next Generation Cyber Security Experts
Shows & Panels
GAO: securing information can be simplified
Thursday - 9/23/2010, 8:43pm EDT
Your IT systems have different rules in how you have to handle them. Some handle information related to national security, and some don't. This can be confusing, but a joint task force is looking at ways to simplify things.
The Government Accountability Office just put out a report on the progress of what they call "harmonizing" policies for secure and non-secure systems.
"Historically, civillian and national security-related IT systems have been governed by different sets of policies and procedures," said Gregory Wilshusen, Director of Information Security Issues at GAO. "Both sets of guidance can cover similar topics and processes such as certification and accreditation and risk assessments."
The Office of Management and Budget and the National Institutes of Standards and Technology have been responsible for setting guidelines for civilian information systems, while the Department of Defense, the intelligence community and the Committee on National Security Systems have regulated the national security information systems.
As a result, Wilhausen said, organizations that have responsibilities could not easily assess the security of other federal information systems.
Without understanding how other agencies were maintaining information security meant that reciprocity, which is agencies accepting another agencies standards, was hampered, and agencies felt the need to recertify and reaccredit costing time and money in the process.
While complete harmonization isn't possible, Wilhausen said, any progress will help to cut out the re-certification process, and helps vendors.
"Particularly contractors and IT system developers to have a more harmonized set of requirements to build to when they're developing these systems," Wilhausen said.
In 2009, agencies took a step forward by starting a task force to discern which guidances and policies are suitable for harmonization.
"What we found is that they're making progress in undertaking that effort," Wilhausen said.
NIST has lead task force, and has already published three harmonized sets of guidances. But while NIST doesn't have the authority to mandate the use of the harmonized guidance, the Committee on National Security Systems does.
"They issued an instruction guiding their members to go ahead and use the harmonized NIST guidance," Wilhausen said.
You can read GAO's full report here.