Ross creates security standards office


Ron Ross, former head of the National Information Assurance Partnership, has founded an office to develop the standards for certifying that new agency systems are secure, Ross told Washington Technology today.



The Certification and Accreditation Program of the National Institute of Standards and Technology will roll out in two phases, Ross said.

In the first phase, now under way, the team will develop the standards for evaluating a new system's security. In the second phase, which Ross said would occur over the next few years, the office will establish a network of accredited organizations to provide security certification services based on these guidelines.



Ross said these standards could be used to evaluate systems as small as an office network or as large and complex as an agencywide financial system.



The Office of Management and Budget Circular A-130 requires agencies use an accreditation officer. This person could be either an in-house employee but not involved in the project or an independent contractor who would certify that a new system is secure and that any misuse would not compromise the agency's mission.

Factors ranging from the security of the IT equipment to the reliability of the "guards, guns and gates" that surround it must be evaluated. Until a system is designated as safe, it cannot go live, Ross said.



NIST is developing a specific set of standards for accrediting systems but will not check out systems itself. It will begin a process that will qualify companies and agencies to do this.



Ross said he started this initiative about a year ago at the partnership. Because systems security has grown in importance since the Sept. 11 terrorist attacks, the project eventually "took on a life of its own," Ross said, and he found himself devoting most of his time to it.



The partnership oversees the Common Criteria evaluation process, which sets government standards for evaluating the security of a piece of equipment. The Defense Department, for instance, uses Common Criteria as a qualification for equipment handling information related to national security.



Ross' new program will be different from Common Criteria in that it will evaluate systems rather than individual products, he said.

About the Author

Joab Jackson is the senior technology editor for Government Computer News.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

What is your e-mail address?

My e-mail address is:

Do you have a password?

Forgot your password? Click here
close

Trending

  • Dive into our Contract Award database

    In an exclusive for WT Insider members, we are collecting all of the contract awards we cover into a database that you can sort by contractor, agency, value and other parameters. You can also download it into a spreadsheet. Our databases track awards back to 2013. Read More

  • Navigating the trends and issues of 2016 Nick Wakeman

    In our latest WT Insider Report, we pull together our best advice, insights and reporting on the trends and issues that will shape the market in 2016 and beyond. Read More

contracts DB

Washington Technology Daily

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.