recommended reading

ODNI: Trade-off information security for good intel

The Office of the Director of National Intelligence issued a directive on Tuesday that recommends managers of information technology systems accept a lower level of security if it provides the United States with better intelligence.

Comment on this article in The Forum.Intelligence Community Directive 503, signed by Director of National Intelligence Mike McConnell on Sept 15, said the principle goal for risk management of any intelligence agency such as the CIA or the National Security Agency should be to protect the agency's ability to perform its mission, "not just to protect its information assets."

"Because risk cannot be eliminated entirely, the risk management process must allow decision-makers to consider the operational economic costs of protective measures weighed against requirements for mission accomplishment," the directive stated. "For example, a very high level of security may reduce risk to a very low level, but can be extremely expensive and may unacceptably impede essential operations."

Intelligence agencies should consider information sharing and collaboration across the community and with foreign partners "as essential mission-sharing capabilities," the directive said.

The directive is part of the push among intelligence agencies to open up their systems with the aim of improving intelligence and stopping attacks on the United States like the ones conducted on Sept. 11, 2001. In its report, which delineated the intelligence failures that resulted in the attacks against the World Trade Center and the Pentagon, the 9/11 commission called for a cultural shift to encourage information sharing. The intelligence reform enshrined those recommendations into law.

The language in the new directive stands in stark contrast to the one it replaces, the Director of Central Intelligence Directive 6/3 issued in 1999, which emphasized security and said nothing about operational requirements. That directive said IT system risk assessments should "identify specific areas that require safeguards against deliberate or inadvertent unauthorized disclosure, modification or destruction of information; denial of service; and unauthorized use of the [IT systems]."

ODNI described the new directive, which codifies strategic goals agreed on with John Grimes, the Defense Department's chief information officer, in January 2007, as "a ground-breaking new policy [that] . . . changes how the intelligence community, and by inference, the entire federal government, will build, validate and approve information technology systems."

"This is an important step forward, but primarily only for ODNI itself," said Pat Howard, the chief information security officer for the Nuclear Regulatory Commission. "This changes ODNI policy on certification and accreditation of IT systems to closely align to that of the civilian agencies."

The policy tracks the National Institute of Standards and Technology Special Publication 800-37. "I do think this is a step in the right direction since it is a move toward a common certification and accreditation standard that is accepted by a large part of the government, by an important agency that has a substantial number of highly sensitive IT systems," Howard said. "Perhaps DoD should move in this direction, too."

The directive lays out broad parameters to simplify accreditation and certification of intelligence community IT systems and calls for reciprocal accreditation of systems operated by other government agencies, including those at the state and local levels, or nongovernmental agencies that meet standards established by ODNI or NIST. The intelligence community also should accept system accreditations conducted by foreign partners including Australia, Canada, New Zealand and the United Kingdom, the directive said.

Steven Aftergood, director of the Project on Government Secrecy for the Federation of American Scientists, called the new directive an "exercise in common sense: It says security is a means, not an end, and risk needs to be managed."

Aftergood said the directive also ties in with the recent intelligence community policy to share information, rather than closely hold on to it.

Philip Coyle, senior adviser with the Center for Defense Information, a security policy research organization in Washington, said the new directive was a way to "fudge" on security, and the government would do better to follow the practices of industry.

Coyle, who served as assistant secretary of Defense and director of its operational test and evaluation office from 1994 to 2001, said he was struck by the differences between private industry and the national security establishment when it comes to information technology development and deployment.

Private industry is innovative, developing applications and systems within small teams, and is cautious about security risks, he said. Defense and the intelligence community, by contrast, are not as cautious. They want to build "gigantic systems that are outdated before they can be deployed, developed by major defense contractors operating with very large teams, wanting to fudge on security to deploy faster, and wanting to bypass testing, which is seen as an obstacle not an opportunity for insight."

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security


When you download a report, your information may be shared with the underwriters of that document.