Feds to push new set of security controls

To bolster information systems security, the federal government is pushing to have civilian agencies, such as the U.S. Department of Agriculture, follow new regulations based on practices at the Department of Defense and Central Intelligence Agency.

The proposed regulations are laid out in a 238-page document, “Recommended Security Controls for Federal Information Systems,” issued by the National Institute of Standards and Technology (NIST) this week. The document details steps that civilian agencies must take to protect software, hardware and network resources, including physical security, personnel training and review, auditing and disaster recovery.

NIST wants agencies to start following the guidelines immediately, even though they are not expected to be finalized as a government IT standard for well over a year.

“This is far from an academic exercise; it’s mandated by the Federal Information Security Management Act of 2002,” says Ron Ross, project leader at NIST. “With terrorism and the ability of our adversaries to attack our systems, this can’t be an academic drill.”

The security guidelines are expected to push civilian agencies into unaccustomed practices, such as segmenting information assets into three main risk categories (low, moderate and high) and following proscribed procedures to protect them. A separate NIST document, “Standards for Security Categorization of Federal Information Systems,” describes how to do this, and it’s expected to be an official standard, FIPS 199, by year-end.

The security-controls document issued last week is certain to be debated, because it imposes new restrictions and practices. It asks agencies to endorse a preference for vendor products tested under the so-called Common Criteria guidelines – something the Defense Department does today. While open source software would be allowed, it would have to be “assessed to determine the security impact of its use,” the report says. Shareware and freeware would be prohibited in many cases, as would the use of instant messaging on public networks or remote-access via dial-up. Voice over IP also comes under scrutiny in the regulations, which would disallow products that users could configure too easily.

In addition, agencies deemed to have moderate-risk information assets might have to buy new products, such as security gear to prevent denial-of-service attacks.

“Some agencies may say, ‘we have to do a lot of work,'” Ross says. “But it will start the dialogue. And we expect to learn a lot of things through the feedback.” NIST has deliberately left blank the specific requirements for high-risk systems until a public meeting is held next March at NIST.

While NIST’s security benchmark is impressive in its detail, it’s likely to be expensive for the federal agencies to implement, says Brad Johnson, vice president of consulting at SystemExperts. “But one of the most important things it will do is give people a common way to talk about the complex idea of security,” he adds.