SPECIAL REPORT: Security Directives and Compliance
|One Government, One Set Of Standards |
NIST SP 800-37 contains the proposed new federal security authorization process (commonly called C&A) that promotes the concept of “near real-time risk management” based on continuous monitoring of federal Information Systems.
One thing is clear about 21st century cyber warfare: The nation is fighting some very sophisticated, well resourced adversaries. They are coming at us hot and heavy. And many times – maybe unknowingly -- we invite them through our front doors and welcome them inside our Information Systems.
How do we stop them?
On the frontlines of this cyber war is Dr. Ron Ross, a NIST senior computer scientist and information security researcher. He currently leads the FISMA Implementation Project for NIST.
His bio is impressive. Publications authored include FIPS 199, FIPS 200, NIST SP 800-53, SP 800-53A, SP 800-37 and SP 800-39 (new risk management guidelines).
Dr. Ross is also the principal architect of the NIST Risk Management Framework that integrates the suite of FISMA security standards and guidelines into a comprehensive enterprise-wide information security program.
He is also a collaborator – and a realist.
No Longer “Business As Usual”
“We tend to read about the criticisms of FISMA and how things are not going well in a lot of cases,” said Dr. Ross in an interview with 1105 Custom Media. “But I think it’s important to take a step back as we go forward; and try to lay-in some standards and guidelines.”
“There’s going to have to be a change in the culture of how we confront cyber security,” Dr. Ross explained. “We can’t go along with ‘business as usual’ in a lot of cases.”
A prime example is when employees surf the web at work and unbeknownst to them a hostile site will implant some malicious code in their work station; and by the end of the day that work station has infected the entire corporate network.
“So I don’t think we fully realize that we are in a cyber war and the severity of that,” declared Dr. Ross. “And when you are in that kind of environment, every work station, every laptop, every PDA is the front line in this cyber war. I’m not sure that we’ve quite gotten to that mindset yet.”
For Dr. Ross the mindset is to act like a cyber warrior. “It’s a cliché but it means having more disciplined approaches to how you are doing business. We like to let people do everything they can, but there are inherent risks in operating in that kind of environment when we are using some of the COTS products that we have today and the way we architect those systems.”
But the fact is the IA community is going to have to come up with ways to increase collaboration and security – at the same time. There is no turning back to the world where if you protect the system, you have protected the data.
Now the task is to protect the data – whether it is in motion or at rest.
DOD, NIST and ODNI Get Together
“In June 2006, General Dale Meyerrose, CIO for the Office of the Director of National Intelligence (ODNI), sent out an initiative called the ‘C&A Transformation Initiative’,” Dr. Ross said.
As a result, representatives from DOD, NIST and ODNI came together to look at how they could transform the C&A process governmentwide. During the initial meeting it was decided that in order to reform the C&A process, the group would first look at all the fundamental pieces that are necessary to conduct that process.
To do that the group began looking at the risk management framework and all parts of the network where we have developed standardized methods to define security controls, which are the safeguards you would employ within an information system, said Dr. Ross.
“The end result was this NIST, ODNI and DOD partnership agreed to move forward and start to rewrite some of the documents, which will be coming out under the banner of the Committee on National Security Systems, or CNSS,” said Dr. Ross.
The CNSS is the committee that sets all the policies for the national security systems. According to Dr. Ross, over the past 18 months they’ve been developing a series of CNSS policies and instructions which for the most parallels what NIST has been doing. (e.g. NIST SP 800-53 will be CNSS Instruction 1253)
“Our larger objective over the long term is to have a single set of standards and guidelines for security for the entire federal government – so that we can present a unified front in trying to defend our systems,” said Dr. Ross.
C&A Out – Near Time Risk Management In
That was just Phase 1 in this convergence of standards. The three communities took C&A convergence to the next step Dr. Ross explained.
For the C&A process the DOD and ODNI decided that instead of building a new one, to take the NIST 800-37 approach and in a joint task force, try to redo 800-37 in a common process that’s acceptable to all three communities – Intel, DOD and Civilian.
SP 800-37 public comment is open through September 30. Contact the Computer Security Division at NIST or submit via email to: firstname.lastname@example.org.
To that end since March Dr. Ross has been leading a working group with representatives from the DOD, ODNI, CNSS and the FISMA team at NIST to produce a common process.
“What you saw published on August 19 – which was the initial public draft of the new 800-37 – really changes the fundamental way that we look at the whole process of C&A,” noted Dr. Ross.
“In fact it changes it so much that we don’t even use the term C&A any more in that document. We mention the term one time and then we move on to a new concept which we are calling near ‘real time risk management’.”
Currently the C&A process is static. “Every three years we go through great expense and a lot of effort to certify and accredit these systems. I call it the ‘big bang’.”
But the reality today is the IS environment is not static; it is constantly changing. So your hardware, your software, your firmware, your environment of operations, your missions, your business processes, all that is a dynamic environment that we have to deal with explained Dr. Ross.
“The threat sources, the threat agents are changing constantly. So we have to have a process that’s able to manage risk in the very dynamic and volatile environment that we see today – and that’s the primary thrust of 800-37.”
“We need to get a process that can give senior leaders the ability to do something very important, not just accept risk, that’s always been the purpose of the C&A,” Dr. Ross said.
“But I have to get a process that allows them to understand the risk. Understand and accept the risk. The understanding part is the more important part of the problem, because anybody can sign a piece of paper to authorize a system.”
Dr. Ross stressed that the real question, in today’s environment, with today’s critical missions is what kind of risk are you bringing in to the organization by the technology you’ve deployed? And what is your strategy to protect that mission and business process that the technology supports?
The Goal Is Convergence
Our goal in convergence is to make the standards and guidelines that the government uses in general more unified said Dr. Ross. “We need to give a clear and concise picture of what has to be done and how to do it, and not just for our federal agencies, but also for our entire contracting base that does business with the federal government.”
This also represents an enormous cost savings for the government because a contractor doesn’t have to do three separate things for their DOD, Intel and Civilian customers.
“For all those reasons we’ve been working extremely hard to get this convergence underway, and we’ve made extraordinary progress,” Dr. Ross said.
“800-37 is the test case. This is going out for public review; we hope to finalize it by the end of the year. Then if that is successful this may serve as a model for how we proceed with the rest of our documents.
For example we could take 800-53 and say look this can serve as the entire security control catalogue for the entire federal government. That could be the next target in our list of convergence activities.”
What’s also exciting is how the three groups are collaborating together towards a common goal.
“This is very exciting stuff, and I’ve just been extraordinarily pleased with my partners; everyone has been coming at this with a common objective,” noted Dr. Ross.
“Our Working Group was very consensus based; everybody checked their baggage at the door. It’s been one of those efforts that you don’t come across a whole lot, and it’s just been extremely satisfying. I was really proud and pleased to be a part of it.