Ross creates security standards office
- By Joab Jackson
- Apr 17, 2003
Ron Ross, former head of the National Information Assurance Partnership, has founded an office to develop the standards for certifying that new agency systems are secure, Ross told Washington Technology today.
The Certification and Accreditation Program of the National Institute of Standards and Technology will roll out in two phases, Ross said.
In the first phase, now under way, the team will develop the standards for evaluating a new system's security. In the second phase, which Ross said would occur over the next few years, the office will establish a network of accredited organizations to provide security certification services based on these guidelines.
Ross said these standards could be used to evaluate systems as small as an office network or as large and complex as an agencywide financial system.
The Office of Management and Budget Circular A-130 requires agencies use an accreditation officer. This person could be either an in-house employee but not involved in the project or an independent contractor who would certify that a new system is secure and that any misuse would not compromise the agency's mission.
Factors ranging from the security of the IT equipment to the reliability of the "guards, guns and gates" that surround it must be evaluated. Until a system is designated as safe, it cannot go live, Ross said.
NIST is developing a specific set of standards for accrediting systems but will not check out systems itself. It will begin a process that will qualify companies and agencies to do this.
Ross said he started this initiative about a year ago at the partnership. Because systems security has grown in importance since the Sept. 11 terrorist attacks, the project eventually "took on a life of its own," Ross said, and he found himself devoting most of his time to it.
The partnership oversees the Common Criteria evaluation process, which sets government standards for evaluating the security of a piece of equipment. The Defense Department, for instance, uses Common Criteria as a qualification for equipment handling information related to national security.
Ross' new program will be different from Common Criteria in that it will evaluate systems rather than individual products, he said.
Joab Jackson is the senior technology editor for Government Computer News.