Shows & Panels
- The 2014 Big Picture on Cyber Security
- AFCEA Answers
- Ask the CIO
- Connected Government: How to Build and Procure Network Services for the Future
- Continuing Diagnostics and Mitigation: Discussion of Progress and Next Steps
- Federal Executive Forum
- Federal Tech Talk
- The Intersection: Where Technology Meets Transformation
- Maximizing ROI Through Data Center Consolidation
- Moving to the Cloud. What's the best approach for me
- Navigating Tough Choices in Government Cloud Computing
- The New Generation of Database
- Satellite Communications: Acquiring SATCOM in Tight Times
- Transformative Technology: Desktop Virtualization in Government
- Value of Health IT
Shows & Panels
GAO: securing information can be simplified
Thursday - 9/23/2010, 8:43pm EDT
The Government Accountability Office just put out a report on the progress of what they call "harmonizing" policies for secure and non-secure systems.
"Historically, civillian and national security-related IT systems have been governed by different sets of policies and procedures," said Gregory Wilshusen, Director of Information Security Issues at GAO. "Both sets of guidance can cover similar topics and processes such as certification and accreditation and risk assessments."
The Office of Management and Budget and the National Institutes of Standards and Technology have been responsible for setting guidelines for civilian information systems, while the Department of Defense, the intelligence community and the Committee on National Security Systems have regulated the national security information systems.
As a result, Wilhausen said, organizations that have responsibilities could not easily assess the security of other federal information systems.
Without understanding how other agencies were maintaining information security meant that reciprocity, which is agencies accepting another agencies standards, was hampered, and agencies felt the need to recertify and reaccredit costing time and money in the process.
While complete harmonization isn't possible, Wilhausen said, any progress will help to cut out the re-certification process, and helps vendors.
"Particularly contractors and IT system developers to have a more harmonized set of requirements to build to when they're developing these systems," Wilhausen said.
In 2009, agencies took a step forward by starting a task force to discern which guidances and policies are suitable for harmonization.
"What we found is that they're making progress in undertaking that effort," Wilhausen said.
NIST has lead task force, and has already published three harmonized sets of guidances. But while NIST doesn't have the authority to mandate the use of the harmonized guidance, the Committee on National Security Systems does.
"They issued an instruction guiding their members to go ahead and use the harmonized NIST guidance," Wilhausen said.
You can read GAO's full report here.