Feds to push new set of security controls

To bolster information systems security, the federal government is pushing to have civilian agencies, such as the U.S. Department of Agriculture, follow new regulations based on practices at the Department of Defense and Central Intelligence Agency.

The proposed regulations are laid out in a 238-page document, “Recommended Security Controls for Federal Information Systems,” issued by the National Institute of Standards and Technology (NIST) this week. The document details steps that civilian agencies must take to protect software, hardware and network resources, including physical security, personnel training and review, auditing and disaster recovery.

NIST wants agencies to start following the guidelines immediately, even though they are not expected to be finalized as a government IT standard for well over a year.

“This is far from an academic exercise; it’s mandated by the Federal Information Security Management Act of 2002,” says Ron Ross, project leader at NIST. “With terrorism and the ability of our adversaries to attack our systems, this can’t be an academic drill.”

The security guidelines are expected to push civilian agencies into unaccustomed practices, such as segmenting information assets into three main risk categories (low, moderate and high) and following proscribed procedures to protect them. A separate NIST document, “Standards for Security Categorization of Federal Information Systems,” describes how to do this, and it’s expected to be an official standard, FIPS 199, by year-end.

The security-controls document issued last week is certain to be debated, because it imposes new restrictions and practices. It asks agencies to endorse a preference for vendor products tested under the so-called Common Criteria guidelines – something the Defense Department does today. While open source software would be allowed, it would have to be “assessed to determine the security impact of its use,” the report says. Shareware and freeware would be prohibited in many cases, as would the use of instant messaging on public networks or remote-access via dial-up. Voice over IP also comes under scrutiny in the regulations, which would disallow products that users could configure too easily.

In addition, agencies deemed to have moderate-risk information assets might have to buy new products, such as security gear to prevent denial-of-service attacks.

“Some agencies may say, ‘we have to do a lot of work,'” Ross says. “But it will start the dialogue. And we expect to learn a lot of things through the feedback.” NIST has deliberately left blank the specific requirements for high-risk systems until a public meeting is held next March at NIST.

While NIST’s security benchmark is impressive in its detail, it’s likely to be expensive for the federal agencies to implement, says Brad Johnson, vice president of consulting at SystemExperts. “But one of the most important things it will do is give people a common way to talk about the complex idea of security,” he adds.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Stemming the tide of cybercrime

By: Derek Manky Technology continues to play a significant role in accelerating...

Power through a work-from-anywhere lifestyle with the LG gram

“The right tool for the right job” is an old adage...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now