NIST releases guidance to unify Defense, civilian security controls

The National Institute of Standards and Technology released updates for computer security controls on Thursday, the first in a series of changes the agency is making to build a common process for protecting networks operated by civilian, Defense Department and intelligence agencies.

The Defense and intelligence agencies have their own information security guidelines, separate from those created by civilian agencies. The different approaches have made it difficult to secure networks because vendors spend more time developing technology products to meet different standards and federal network administrators don't have common procedures they can follow.

But in its third revision of Special Publication 800-53--"Recommended Security Controls for Federal Information Systems and Organizations"--NIST for the first time includes security controls for both national security and non-national security networks. The security control catalog incorporates best practices in information security from the Defense Department, the intelligence community and civilian agencies.

To develop the catalog, NIST compared three documents:

-- The previous version of SP 800-53

-- Director of Central Intelligence Directive 6/3, "Protecting Sensitive Compartmented Information Within Information Systems"

-- Defense's Instruction Number 8500.2, "Information Assurance Implementation"

"The analysis showed that we had about 90 percent of security controls in common," said Ron Ross, senior computer scientist and information security researcher at NIST. "That gave us a big clue that we could make this happen."

According to Ross, the three primary differences in the defined standards for computer security used by the Defense and intelligence communities involve physical security -- more guards and guns and gates that protect the networks, tighter clearance requirements for computer users, and more use of sophisticated cryptography technology to disguise information as it travels over the network. When you removed those three controls, he said, the approaches used for information security are all similar.

"These common standards from NIST just establish a level that everyone must play to, without constraining people to the minimum standard," said Mike Jacobs, who served as information assurance director at the National Security Agency until his retirement in 2002. "It's a step in the right direction that will create some degree of uniformity. Before, you had three or four related but somewhat different standards, and applying any one of them would've been satisfactory. But everyone wanted ownership."

Unifying the information security controls will require less time from federal IT managers for system maintenance and from vendors for product development, because both the IT staff and vendor community can comply with a single standard.

"At the end of the day, if you can speak with one voice, you speak with greater clarity and you have a greater chance of getting more cost-effective security that raises the bar in your ability to stop these increasingly sophisticated attacks," Ross said, adding that updates to controls will be more frequent to keep up with the threat landscape.

"Standards bodies work more deliberately and slowly," he said. "You want consensus and common ground, but in the case of security controls, we'll have to update these more rapidly. The nature of the attacks is changing, and we need to be more responsive."

NIST hopes to finalize the latest revision of SP 800-53, which is available for public comment, by the end of July.

The agency is working on two other publications that will support security standardization. The first revises the SP 800-37, "Guide for the Security Certification and Accreditation of Federal Information Systems," which was first released in draft form in August 2008. The update will provide a more risk-based approach to determine the security controls agencies should deploy and how to implement and test the technology. It will emphasize that agencies need to monitor networks continuously and will incorporate information security into system development.

NIST will release SP 800-39, "Managing Risk From Information Systems," later this year. It will provide guidance in a more holistic, top-down approach to recognizing potential threats to computer systems and how to reduce vulnerabilities. The document will complement SP 800-37, which focuses on the security of individual computer systems, by instructing agencies on how to deal with the risks of connected systems that support multiple functions of an enterprise. To make room for the new guidance, the scope of SP 800-30, "Risk Management Guide for Information Technology Systems," will be narrowed to focus only on risk assessment, not management, Ross said.

"We're trying to tie information security back to enterprise architecture, so that when developers put designs on paper, they will consider security and privacy," he said.

NIST also plans to rework the National Security Agency's information assurance technical framework, which provides guidance on how to ensure integration of technologies don't jeopardize security.

"Every day, we're finding more stuff that needs to be fixed," Ross said. "We need to get back to the fundamentals. For the long term, we need to get back to building better commercial products and making sure those are integrated in a secure way."