Ross creates security standards office

Ron Ross, former head of the National Information Assurance Partnership, has founded an office to develop the standards for certifying that new agency systems are secure, Ross told Washington Technology today.

The Certification and Accreditation Program of the National Institute of Standards and Technology will roll out in two phases, Ross said.

In the first phase, now under way, the team will develop the standards for evaluating a new system's security. In the second phase, which Ross said would occur over the next few years, the office will establish a network of accredited organizations to provide security certification services based on these guidelines.

Ross said these standards could be used to evaluate systems as small as an office network or as large and complex as an agencywide financial system.

The Office of Management and Budget Circular A-130 requires agencies use an accreditation officer. This person could be either an in-house employee but not involved in the project or an independent contractor who would certify that a new system is secure and that any misuse would not compromise the agency's mission.

Factors ranging from the security of the IT equipment to the reliability of the "guards, guns and gates" that surround it must be evaluated. Until a system is designated as safe, it cannot go live, Ross said.

NIST is developing a specific set of standards for accrediting systems but will not check out systems itself. It will begin a process that will qualify companies and agencies to do this.

Ross said he started this initiative about a year ago at the partnership. Because systems security has grown in importance since the Sept. 11 terrorist attacks, the project eventually "took on a life of its own," Ross said, and he found himself devoting most of his time to it.

The partnership oversees the Common Criteria evaluation process, which sets government standards for evaluating the security of a piece of equipment. The Defense Department, for instance, uses Common Criteria as a qualification for equipment handling information related to national security.

Ross' new program will be different from Common Criteria in that it will evaluate systems rather than individual products, he said.

About the Author

Joab Jackson is the senior technology editor for Government Computer News.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

What is your e-mail address?

My e-mail address is:

Do you have a password?

Forgot your password? Click here


  • POWER TRAINING: How to engage your customers

    Don't miss our Aug. 2 Washington Technology Power Training session on Mastering Stakeholder Engagement, where you'll learned the critical skills you need to more fully connect with your customers and win more business. Read More


    In our latest Project 38 Podcast, editor Nick Wakeman interviews Tom Romeo, the leader of Maximus Federal about how it has zoomed up the 2019 Top 100. Read More

contracts DB

Washington Technology Daily

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.