Shows & Panels
- AFCEA Answers
- Ask the CIO
- The Big Data Dilemma
- Carrying On with Continuity of Operations
- Connected Government
- Constituent Servicing
- Continuous Monitoring: Tools and Techniques for Trustworthy Government IT
- The Cyber Imperative
- Cyber Solutions for 2013 and Beyond
- Expert Voices
- Federal Executive Forum
- Federal IT Challenge
- Federal Tech Talk
- Mission-critical Apps in the Cloud
- The Path from Legacy Systems
- The Real Deal on Digital Government
- The Reality of Continuous Monitoring... Is Your Agency Secure?
- Veterans in Private Sector: Making the Transition
Shows & Panels
GAO: securing information can be simplified
Thursday - 9/23/2010, 8:43pm EDT
The Government Accountability Office just put out a report on the progress of what they call "harmonizing" policies for secure and non-secure systems.
"Historically, civillian and national security-related IT systems have been governed by different sets of policies and procedures," said Gregory Wilshusen, Director of Information Security Issues at GAO. "Both sets of guidance can cover similar topics and processes such as certification and accreditation and risk assessments."
The Office of Management and Budget and the National Institutes of Standards and Technology have been responsible for setting guidelines for civilian information systems, while the Department of Defense, the intelligence community and the Committee on National Security Systems have regulated the national security information systems.
As a result, Wilhausen said, organizations that have responsibilities could not easily assess the security of other federal information systems.
Without understanding how other agencies were maintaining information security meant that reciprocity, which is agencies accepting another agencies standards, was hampered, and agencies felt the need to recertify and reaccredit costing time and money in the process.
While complete harmonization isn't possible, Wilhausen said, any progress will help to cut out the re-certification process, and helps vendors.
"Particularly contractors and IT system developers to have a more harmonized set of requirements to build to when they're developing these systems," Wilhausen said.
In 2009, agencies took a step forward by starting a task force to discern which guidances and policies are suitable for harmonization.
"What we found is that they're making progress in undertaking that effort," Wilhausen said.
NIST has lead task force, and has already published three harmonized sets of guidances. But while NIST doesn't have the authority to mandate the use of the harmonized guidance, the Committee on National Security Systems does.
"They issued an instruction guiding their members to go ahead and use the harmonized NIST guidance," Wilhausen said.
You can read GAO's full report here.