Security experts push to require federal information security guidelines

The final version of the National Institute of Standards and Technology's computer security controls will incorporate recommendations developed by security experts in industry and government for dealing with attacks on federal networks. Those professionals hope that including their prescriptions in official NIST guidance will be the first step toward a federal mandate for compliance.

After receiving more than 800 comments on its third revision of Special Publication 800-53 -- "Recommended Security Controls for Federal Information Systems and Organizations" -- NIST will post the final version online on July 31. One significant addition is guidance on how to fix the specific vulnerabilities in federal networks that hackers are known to exploit most frequently. These recommendations, known as the Consensus Audit Guidelines, were developed by security analysts from industry and government, including the Defense, Energy and Homeland Security departments, the National Security Agency, and the Government Accountability Office. They establish baseline information security measures and controls, most of which can be monitored continuously using automated processes.

"We try to get new ideas -- good ideas -- into our publications," said Ron Ross, senior computer scientist and information security researcher at NIST. "We tried to integrate [guidelines] that could be a subset of the controls already in the publication, which organizations can use to drill down to specific areas with regard to testing and evaluation and audit compliance, and automation of security functions."

The comprehensive list of security controls will help agencies manage risk, said Alan Paller, director of research at the SANS Institute, who noted the NIST document likely will reshape security in the federal government and industry. For the first time, the guidance will include best practices in information security from the Defense Department, the intelligence community and civilian agencies.

John Gilligan, president of IT consulting firm Gilligan Group and former chief information officer at the Air Force hopes the Obama administration will require the security recommendations as a baseline for agencies, which can then decide which additional controls to deploy in accordance with NIST guidance.

"NIST is not a policy organization; it's the Office of Management and Budget and the CIOs that have policy authority and accountability," he said.

Gilligan and other security specialists who contributed to the guidelines met with the Federal Chief Information Officers Council's management and information security committee several months ago and recently requested a meeting with federal CIO Vivek Kundra to discuss the possibility of making compliance a requirement. He also discussed with the General Services Administration the possibility of offering a contract to IT vendors for tools that could help agencies comply with the guidelines.

"If Kundra said we're doing this, GSA would fall in line quickly," Gilligan said. "They're willing, so now the question is whether there will be the demand."

Bolstering Gilligan's case is a pilot initiative at the State Department to test the security benefits of the security guidelines. The department automated some of the recommendations and implemented an IT dashboard that allowed the chief information security officer to assess compliance and grade results at bureaus and embassies. He can evaluate why a particular embassy earned an 85 percent, for example, and how the score would change if additional guidelines were implemented.

"It's resulted in quantum leaps in improving security," Gilligan said. "It's not perfect, but the progress is really impressive. It's a powerful example."

The State Department has offered the IT dashboard as a model to others in the federal government.