New cybersecurity guidelines simplify, prioritize protections
NIST issues guidelines which aim to simplify the thousands of pages of cybersecurity guidance from the National Institute of Standards and Technology; managers say the NIST guidance is hard to implement and harder to audit
Chief information officers say a new list of crucial cybersecurity controls, called the Consensus Audit Guidelines (CAG), highlights the problems with the U.S. government’s current approach to securing its systems. The guidelines, issued last week by a team of chief information officers and industry experts (see 24 February 2009 HS Daily Wire), aim to simplify the thousands of pages of cybersecurity guidance from the National Institute of Standards and Technology. Managers say the NIST guidance is hard to implement and harder to audit. The government’s broader cybersecurity strategy has come under fire in recent years as attacks on federal networks have increased.
Federal Times’s Gregg Carlstrom writes that CIOs do not want fully to endorse CAG recommendations until they have been reviewed by the Office of Management and Budget. They say, however, that the debate over CAG underscores the problems with the government’s current security guidelines, which many CIOs say are based too much on compliance. “[Security] needs to be baked in, as opposed to iced on. When you ice it on, you get a ‘check the box’ mentality,” said Carl Staton, deputy CIO at the Energy Department. “The current system allows for some security, but until it is integrated into all components of the network, it will be a challenge to keep up with and ahead of the bad guys.”
The group behind the recommendations set out to choose 20 priority action steps from a much broader list of cybersecurity controls published by NIST. The list, called Special Publication 800-53, is the current standard for measuring cybersecurity. About 30 volunteers were asked to pick out what they considered to be the most important controls, according to Alan Paller, director of the SANS Institute, a Maryland-based computer security research firm and one of the team members. The team of volunteers included federal employees and contractor officials.
Paller said there was no way to tell which NIST standards were being implemented; that made them impossible to prioritize. “I don’t think the government could have made a bigger mistake than to rely on 800-53 as the standard,” he said. So the team gave up that approach after a few months. It turned to the National Security Agency, which was working on its own list of prioritized security controls. NSA’s Vulnerability Analysis Office was mapping data on governmentwide cyberattacks against NIST guidance, and using that to choose the most important parts.
