NIST Releases New Federal Security Control CatalogBy Ericka Chickowski | Posted 2009-08-04 Email Print
Re-Thinking HR: What Every CIO Needs to Know About Tomorrow's Workforce
The National Institute of Standards and Technology has rolled out the beginnings of a unified information security framework for the entire federal government.
The National Institute of Standards and Technology yesterday rolled
out the first installment of what it hopes will act as a unified
information security framework for the entire federal government.
Brought forth in partnership with the Department of Defense (DOD), the Intelligence Community (IC) and the Committee on National Security Systems (CNSS), the draft of the Recommended Security Controls for Federal Information Systems and Organizations acts as the first deliverable in a three-year initiative that will create a common information security platform for the information systems of both civilian and defense agencies. The two types of government entities have traditionally operated on different playing fields in regard to security controls.
"The common security control catalog is a critical step that effectively marshals our resources," Ron Ross, NIST project leader for the joint task force said in a statement. "It also focuses our security initiatives to operate effectively in the face of changing threats and vulnerabilities."
Ross and his colleagues at NIST believe that the unified framework will save the government by standardizing risk management policies, plus technology, tools and techniques across agencies. The draft presented yesterday is a revision of the initial security control catalog that was published to satisfy requirements set forth by the Federal Information Security Management Act (FISMA) of 2002.
It is still unclear whether these revisions will have a substantial affect on agencies that have largely failed to improve security practices the way lawmakers hoped to compel them to with the passage of FISMA. Just last month the Government Accountability Office (GAO) issued a report that found FISMA requirements insufficient to improve information security practices.
The GAO proclaimed that "persistent weaknesses in information security policies and practices continue to threaten the confidentiality, integrity, and availability of critical information and information systems used to support the operations, assets, and personnel of most federal agencies."
NIST officials cited President Obama’s last speech on cyber-security as the driving force behind its comprehensive plan to rework the federal government’s security framework. On May 29, Obama was heralded for his vision of "integrating all cyber-security policies for the government" and was widely expected to make an immediate appointment of a cyber-security czar to bring all of these policies together.
However, Obama’s security plan has seemed to list off course a bit since then. The permanent cyber-security czar position remains unfilled. And the release of the NIST draft was coincidentally aligned with the resignation yesterday of top federal cyber-security staffer Melissa Hathaway.
Picked by President Obama to lead a thorough assessment of the nation’s cyber-security strategy and act as interim cyber-security czar, Hathaway had long been rumored to be a front-runner in the race for Obama’s permanent cyber-security czar position. She cited personal reasons for stepping down from her current position.