SPECIAL REPORT: Security Directives and Compliance
|Delivering Knowledge |
A knowledgeable government and contractor workforce is the cornerstone of compliance.
FISMA calls for “security awareness training to inform personnel, including contractors and other users of information systems that support the operations and assets of the agency, of (A) information security risks associated with their activities; and ‘‘(B) their responsibilities in complying with agency policies and procedures designed to reduce these risks.”
But when it comes to the specifics of the “what, where, when and how” of education and training, FISMA does not elaborate.
“It depends on what you need to be trained on,” said George Bieber, Training Division Chief, Defense-wide Information Assurance Program (DIAP) in an interview with 1105 Custom Media. “FISMA just says that they need to get trained. It doesn’t say what kind of training or what depth of training. Was it awareness? Was it actually training, was it a lecture or was it hands on?
According to Bieber, this lack of knowledge about the types of training was one reason why DOD issued “Directive 8570.1 “Information Assurance Training, Certification, and Workforce Management,” in August 2004. Guidance for the Directive was updated in May 2008.
The purpose is to “develop a DOD IA workforce with a common understanding of the concepts, principles, and applications of IA for each category, specialty, level, and function to enhance protection and availability of DOD information, information systems, and networks; and establish baseline technical and management IA skills among personnel performing IA functions across the DOD enterprise.”
On the Civilian side there are also efforts to develop a baseline set of skills such as the IT Essential Body of Knowledge, a DHS initiative designed to make sure all DHS IT pros have a standard skill set. It also stresses
certification for security professionals.
Where’s The Beef?
“Twenty years ago, a very wise person said ‘you could always point to the DP shop because that’s where all the trouble was’,” Mark Wilson, CISSP, Computer Security Division at NIST told 1105 Custom Media.
Wilson is an editor/author of numerous documents, including NIST Special Publication 800-16 Information Technology Security Training Requirements: A Role- and Performance-Based Model.
“And this very wise person said, ‘20 years from now, the entire building is going to be the data processing shop’.”
How true. Today, IT is enterprise-wide and the responsibility goes enterprise-wide. “FISMA tries to address that by talking about annual exposure for all users for information awareness training; then identifying people with significant responsibilities; and finally getting them trained sufficiently so that they can do their jobs,” said Wilson.
Are agencies providing the training needed? According to Wilson, there are all kinds of different responses now and what’s needed is an 8570 program like DOD has done across the entire government or perhaps a certification program that is pushed out OMB and OPM.
“It’s going to take something to up the ante beyond what we have now, because there are all kinds of different responses,” said Wilson. “We are getting there. We are better now than we were 10 or 15 years ago, but we are not there yet.”
Managing Your Risk
Other pressing issues are how the security community is going to incorporate Web 2.0 and the security risks inherent in the collaboration and the information sharing expectations of today.
“This gets back to the culture,” said Dr. Ron Ross, head of NIST’s FISMA compliance programs. “When you have a young person come into an organization, you hire a bright young person out of one of the universities and they’ve grown up doing texting and peer to peer file sharing and that’s a mindset to change. They come in and say well ‘why can’t I do that?’”
Dr. Ross explains that we can deploy all of the new technology, but it comes with a risk to the organization. “There is going to have to be soul searching by senior leaders. They need to decide if I use this technology, I’m going to bring this risk into the organization. And do that with their eyes wide open.”
The issue of managing risk is a key part of NIST SP 800-39, which is in draft and out for public comment right now.
“One of the fundamental premises that we are going to have to come to is the wise use of technology. Not just that I have the technology. Is it worth it for me to deploy everything I can possibly get my hands on and have 100% mission capability or should I maybe scale back on that a little bit, maybe go back to 80 or 90% but be a whole lot better protected. This is what the whole risk equation is about.”
A Growing Realization
Dr. Ross thinks there is a long way to go when it comes to the education and training requirements that we have today for the average worker.
“For the average employee, we spend maybe an hour or two. It’s a very, very small part of your training regimen. As we start to realize employees are the ‘pointy edge of the spear’ here – on the front lines in the cyber wars – you’re going to have to do a bit more to make sure that your employees are well trained.”
Ross advocates designing training programs that are effective in helping employees understand their responsibilities, and then making sure that government actually tests those capabilities to see if they are actually doing it.
That’s where SP-800-39 can play a big role. This directive addresses risk management and, in particular, managing risk for Information Systems.
The goal of this particular publication is to have senior leaders and executives understand that one critically important factor crucial to meeting their mission’s strategic goals is the smooth running of their Information Systems.
The reason this is so important is when many organizations describe their mission as “this is what we are going to do”, they don’t take into account their Information System as one of their major drivers, or one of the major factors enabling them to meet that mission.
The whole focus of this particular new directive is to help them understand this. It’s a new way for people to be thinking about how IT and how Information Systems affect their business.
So it’s not only understanding how the Information System integrates into strategic mission or business objectives of the organization, but then how do they accept the risk?
“What our objective is to give the organizations the right tools and techniques to do the job,” explained Dr. Ross.
“Controls, assessment procedures, risk categories, the whole nine yards; they’ve got to have the basics there in front of them, it’s a big tool kit, and teaching them how to use the tool kit effectively, but then letting them use the tool kit to craft solutions that make sense for their organization.”
Dr. Ross said while people are our greatest strength, they can also be our greatest weakness.
“We are getting a lot better at this whole business. A united front on our security standards and guidelines is a very big step in providing a unified framework for how we intend to protect our federal systems,” explained Dr. Ross.
And it all begins and ends with delivering essential knowledge to government staffers and contractors alike – beginning now.
SP 800-39: Managing Risk from Information Systems:
An Organizational Perspective
This publication provides guidelines for managing risk to organizational operations, organizational assets, individuals, other organizations, and the Nation resulting from the operation and use of information systems. Special Publication 800-39 is the flagship document in the series of FISMA-related publications developed by NIST and provides a structured, yet flexible approach for managing that portion of risk resulting from the incorporation of information systems into the mission and business processes of organizations.