Ron Ross, a fellow at the National Institute of Standards and Technology, leads the Federal Information Security Management Act (FISMA) Implementation Project. He developed the first set of unified information security standards and guidelines for all Federal agencies.
Ross recently participated in Q&A for Meritalk.com.
MeriTalk: Please describe how you developed the first set of uniformed security standards and guidelines for all Federal agencies?
Ross: In 2007, NIST conducted the initial analysis of its security standards and guidelines and those security standards and guidelines in place within the Defense Department and the Intelligence Community. The results showed a very high degree of overlap or duplication in the types of safeguards and countermeasures being recommended and implemented by the national security community and the traditional NIST constituency of Federal agencies. Shortly thereafter, discussions began on the possibility of selecting a small number of NIST security publications that could potentially be adopted by the DOD and IC. The first prototype JTF publication was NIST Special Publication 800-53 (the security and privacy controls catalog). That publication was followed by risk management and risk assessment guidelines, and the Risk Management Framework. During the past several years, both DOD and IC security policies have been modified to reference the JTF publications.
MeriTalk: Was it difficult getting every agency and sub agency on board? Please describe the benefits once it became active.
Ross: OMB policy requires all Federal agencies to use NIST standards and guidelines. That said, there is a huge benefit to having a unified set of security standards and guidelines for the Federal government. It provides a consistent view of cybersecurity both for our Federal agencies and their contractors, a common language to address difficult and challenging cybersecurity problems, a rich set of safeguards and countermeasures from which to select, and a means to share important security-related information.
MeriTalk: Who did the work on this security system?
Ross: The core FISMA security standards and guidelines were developed by the FISMA Implementation Project team which consists of NIST security professionals, security professionals from other Federal agencies, and support from our industry partners including several Federally Funded Research and Development Corporations and private contractors. As with all NIST standards and guidelines, we receive many contributions from both public and private sector organizations during the extensive public review process. This provides a transparency in the creation of those publications and also ensures the standards and guidelines are technically correct and implementable.
MeriTalk: It didn’t help OPM, which experienced two massive cyberattacks, or was it not in effect?
Ross: NIST is responsible for developing and maintaining security standards and guidelines for the Federal government. The FISMA-related standards and guidelines have been in effect for over a decade. Based on Office of Management and Budget policy and the law, each agency is responsible for implementing those standards and guidelines as part of its information security and risk management programs. Agency officials make their individual risk management decisions based on the agency’s missions and organizational risk tolerance. Therefore, you will see different security solutions emerging based on how a particular agency applies the NIST standards and guidance.
MeriTalk: Please describe how your risk management framework is fundamentally changing the way Federal agencies protect information and information systems, and is reducing the vulnerability.
Ross: The Risk Management Framework provides an extensive and customizable toolset for Federal agencies to implement their risk-based information security programs. It provides a disciplined and structured process to help agencies determine the criticality and sensitivity of their information assets, select the appropriate security controls to achieve adequate protection, and continuously monitor the security state of their systems and networks. The flexibility provided by the RMF is essential in today’s world of highly complex IT infrastructures and diverse Federal missions. Finding the right security solutions based on the agency’s risk tolerance is a key capability provided by the framework.
MeriTalk: Does that mean that every agency has to provide extra security at every level to protect their data?
Ross: Federal agencies deal with large quantities of data and information in their routine, day-to-day operations. All information has value but not all information is valuable. It is extremely important in today’s highly complex information infrastructure that agencies identify those information assets that are “high value” and institute greater protective measures for such information. A key part of the overall protection strategy is to consider moving high value information into its own domain where stronger and more comprehensive safeguards can be implemented. We cannot afford to employ those additional safeguards everywhere but knowing which assets are critical to the agency’s operations and focusing the increased emphasis in that area, can help reduce the agency’s susceptibility to cyberattacks.
MeriTalk: With reports of thousands of intrusions every year, will these NIST’s standards and guidelines have any impact on creating better firewalls against these intrusions?
Ross: NIST standards and guidelines are having a positive impact on Federal agencies and their information systems every day. For every successful cyberattack on a Federal system, there are thousands of attacks that are stopped in their tracks by the dedicated cybersecurity professionals defending our systems and networks. While it is impossible to stop all cyber breaches, the thoughtful implementation of NIST security standards and guidelines using risk-based methodologies, can go a long way toward reducing an agency’s susceptibility to cyberattacks. A well-designed cybersecurity strategy includes several critical elements—hardening the target and making the system more penetration resistant, limiting the damage adversaries can do once they have penetrated the system, and ultimately, making the system more survivable in a hostile operational environment. The new NIST systems security engineering guideline (SP 800-160) to be published in 2016 will help further institutionalize and operationalize cybersecurity at every stage in the system life cycle.