The Joint Task Force Transformation Initiative, headed by Ron Ross of NIST, brings together representatives from NIST, the Department of Defense, and the national intelligence community to revise existing information security publications so that they can be applied across all federal agencies.
“The purpose of this collaboration is to produce five documents that all federal government communities can accept and implement so that we have a more unified framework that we can implement across the federal government”, Ross told Infosecurity.
The documents that have been revised so far are the Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach (NIST Special Publication 800-37); Recommended Security Controls for Federal Information Systems and Organizations (NIST Special Publication 800-53); and Guide for Assessing the Security Controls in Federal Information Systems and Organizations (NIST Special Publication 800-53A).
A draft of the fourth document in this series, Integrated Enterprise-Wide Risk Management: Organization, Mission, and Information System View (NIST Special Publication 800-39), was published this week. The document takes a three-tiered risk management approach that moves from organization to missions to information systems, NIST explained. The goal of the document is to ensure that federal government officials manage information security risks strategically and make investment and operations decisions based on core mission and business functions.
“This publication takes a strategic approach to risk management with regard to the use of information systems and the security risks derived from the use of those systems, as opposed to a tactical approach”, Ross said. Th first tier in this approach is governance, he explained. This involves development of an enterprise-wide risk management strategy.
Enterprises will use that risk management strategy to go down to the second tier, which is where the mission and business processes are developed, he said. “This is where we talk about things that will make more secure information systems, things like enterprise architecture.”
The third tier is where the information systems are located. “Information from tiers one and two are intended to help us build better information security systems and help us have fewer vulnerabilities.”
“You’ve got to build security in, not bolt it on at the end”, Ross said. So the three tiers help to build information security in at the front end. “If we do things right at tier one and two, we can actually influence how information security gets built and deployed” at the third level.
“We are on a constant treadmill of chasing new vulnerabilities…There is an endless supply of these vulnerabilities that emerge because the hardware, software, and applications are complex. The two things that will continue to haunt us are complexity and connectivity….We are going to have to do a whole lot better at how we engineer and build our information systems in order to reduce the number of vulnerabilities to a more manageable level”, Ross observed.
The final comment period on the draft document runs until January 25, 2011. A draft of the final document in the series, Guide to Conducting Risk Assessments (NIST Special Publication 800-30), is expected to be ready next year.