NIST Guidance Seen Saving Government Millions

Credit EligibleAs a GovInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info

As the government looks to deploy cloud computing and other new technologies securely, just-issued guidance from the National Institute of Standards and Technology shows how agencies can pool resources to qualify technologies and services for purchase and, in turn, save taxpayers millions of dollars, says a senior NIST computer scientists.

Traditionally, each agency had been required to have its own officer make a judgment on whether the technology or service being acquired met certain IT security standards. But Special Publication 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach, shows how agencies can either have their authorization official team up with counterparts from other agencies - known as joint authorization - or piggyback on the work performed by another agency's authorization official - leveraged authorization - to qualify IT products and services for acquisition.

Ron Ross - who led the team that wrote the revised SP 800-37, which NIST released late last month - explained in an interview with GovInfoSecurity.com (transcript below) how the new process works:

"For example, the GSA (General Services Administration) may go out and accredit or authorize cloud providers information systems. Then, there may be a string of other federal agencies that decide somewhere down the line, after that authorization is completed, that they also want to use that cloud providers services. Instead of having to go back and having each of those agencies do a complete reauthorization for their own purposes, they can now use the documentation and evidence used as part of that first agency's authorization, and use that as the basis of their risk decision."

"This has the potential to save the federal government literally millions of dollars so every agency doesn't have to go forward and do the same process over and over and over again.

Click to Get Updates on the Latest Information Security News

Company* Title* Email* Subscription Type: HTML Text Government Enews General Government Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Banking Enews General Banking Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Credit Union Enews General Credit Union Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Need Help?

Ross, in the conversation with GovInfoSecurity.com's Eric Chabrow, also discussed the:

• Importance of the new guidance in providing real-time monitoring of IT systems.
• Challenges federal agencies face in adopting NIST IT security guidance.
• State of cybersecurity in the federal government.

Ross, the highly regarded NIST senior computer scientist and information security researcher, serves as the institute's Federal Information Security Management Act implementation project leader. He also supports the State Department in the international outreach program for information security and critical infrastructure protection. Ross previously served as the director of the National Information Assurance Partnership, a joint activity of NIST and the National Security Agency.

A graduate of the United States Military Academy at West Point, Ross served in a variety of leadership and technical positions during his 20-year career in the Army. While assigned to the National Security Agency, he received the Scientific Achievement Award for his work on an interagency national security project and was awarded the Defense Superior Service Medal upon his departure from the agency. He's a two-time recipient of the Federal 100 award for his leadership and technical contributions to critical information security projects affecting the federal government. During his military career, Ross served as a White House aide and as a senior technical advisor to the Department of the Army.

Ross is a graduate of the Program Management School at the Defense Systems Management College and holds a master and Ph.D. in computer science from the United States Naval Postgraduate School.

ERIC CHABROW Before we get into the specifics about NIST 800-37, I would like to get your characterization of the current state of cybersecurity in America. At a hearing on Feb. 23, former National Intelligence Director Mike McConnell said if we were in a cyber war today the United States would loose. Is the state of cybersecurity in the United States and federal government that bad?