NIST Releases New Federal Security Control Catalog

The National Institute of Standards and Technology yesterday rolled
out the first installment of what it hopes will act as a unified
information security framework for the entire federal government.

Brought forth in partnership with the Department of Defense (DOD), the
Intelligence Community (IC) and the Committee on National Security
Systems (CNSS), the draft of the Recommended Security Controls for Federal Information Systems and Organizations
acts as the first deliverable in a three-year initiative that will
create a common information security platform for the information
systems of both civilian and defense agencies. The two types of
government entities have traditionally operated on different playing
fields in regard to security controls.

“The common security control catalog is a critical step that
effectively marshals our resources,” Ron Ross, NIST project leader for
the joint task force said in a statement. “It also focuses our security
initiatives to operate effectively in the face of changing threats and
vulnerabilities.”

Ross and his colleagues at NIST believe that the unified framework will
save the government by standardizing risk management policies, plus
technology, tools and techniques across agencies. The draft presented
yesterday is a revision of the initial security control catalog that
was published to satisfy requirements set forth by the Federal
Information Security Management Act (FISMA) of 2002.

It is still unclear whether these revisions will have a substantial
affect on agencies that have largely failed to improve security
practices the way lawmakers hoped to compel them to with the passage of
FISMA. Just last month the Government Accountability Office (GAO) issued a report that found FISMA requirements insufficient to improve information security practices.

The GAO proclaimed that "persistent weaknesses in information security
policies and practices continue to threaten the confidentiality,
integrity, and availability of critical information and information
systems used to support the operations, assets, and personnel of most
federal agencies."

NIST officials cited President Obama’s last speech on cyber-security as
the driving force behind its comprehensive plan to rework the federal
government’s security framework. On May 29, Obama was heralded for his
vision of “integrating all cyber-security policies for the government”
and was widely expected to make an immediate appointment of a
cyber-security czar to bring all of these policies together.

However, Obama’s security plan has seemed to list off course a bit
since then. The permanent cyber-security czar position remains
unfilled. And the release of the NIST draft was coincidentally aligned
with the resignation yesterday of top federal cyber-security staffer
Melissa Hathaway.

Picked by President Obama to lead a thorough assessment of the nation’s
cyber-security strategy and act as interim cyber-security czar,
Hathaway had long been rumored to be a front-runner in the race for
Obama’s permanent cyber-security czar position. She cited personal
reasons for stepping down from her current position.