NIST and IT Security: Much More Than Guidance
As Congress moves toward changing the way to determine the security of federal information systems, the National Institute of Standards and Technology is readying itself to provide the new measurements.
Legislation before Congress to reform the Federal Information Security Management Act of 2002 would measure in real time the security status of government IT systems and networks; now, agencies must show they comply with rules to secure their systems, which doesn't assure the systems themselves are safe.
"Absolutely," Cita Furlani, director of NIST's Information Technology Laboratory, responded to the question if NIST is set to meet the challenges of developing new standards. In fact, Furlani said in an interview with GovInfoSecurity.com (transcript below), NIST is being organized to do just that.
"People think of us as only the standards, and you can't really have effective standards unless you can measure that you are meeting those standards, and measurement typically means testing," Furlani said. "When we talk about our research efforts and what we have to focus on, it always comes down to what is measurable and how we can best provide the testing capability.
"The excitement from where I sit is figuring out where we can have the greatest impact with the resources we have and how best to move the standards, measurements and testing along to help industry and our federal colleagues to take advantage of the innovations that are coming downstream that are giving us these wide open opportunities for new ways of doing things every minute. ... When it comes down to where NIST fits, it's always back to the standards, measurements and testing, and figuring out where our unique contributions can have the greatest impact is my daily job and that's part of the fun."
In the interview, Furlani discusses not only how NIST is gearing up for changes in the way government will measure cybersecurity but the proposed reorganization of the Information Technology Laboratory that she heads. She also addresses the struggles government IT security professionals face in complying with FISMA, and how NIST can help make that process easier through automated controls. FISMA requires NIST to develop cybersecurity standards and guidelines.
ITL, as the lab is known, formulates metrics, tests and tools for a variety of subjects, including information complexity and comprehension, high confidence software, space-time coordinated mobile and wireless computing as well as issues of information quality, integrity and usability. ITL also has been charged to lead the nation in employing existing and emerging IT to meet national priorities that reflect the country's broad based social, economic and political values and goals. Under provisions of the USA Patriot Act and Help America Vote Act, ITL also addresses major challenges presented by homeland security and electronic voting.
Prior to being named ITL director 3Â½ years ago, Furlani served as NIST chief information officer, acting director of the NIST Advanced Technology Program and director of the program's Information Technology and Electronics Office. She began her career at NIST as a computer scientist and group leader in the Manufacturing Engineering Laboratory. Furlani also served as director of the White House's National Coordination Office for Networking and Information Technology Research and Development.
Eric Chabrow, GovInfoSecurity.com managing editor, interviewed Furlani.
ERIC CHABROW: You propose restructuring NIST Information Technology Laboratory. How would the lab be restructured? Why is it important to do so? And how would the restructuring affect the IT security guidance NIST is so well known for?
CITA FURLANI: We've taken an internal assessment of the strength of the lab and we've identified our core competencies and one of which, of course, is directly related to cybersecurity. The lab has been in the same structure for a number of years and there is opportunity to be stronger and better focused on the ever-changing environment that we live in, particularly in the context of strengthening our cybersecurity program. Much of what we do in other portions of the lab, other than the computer security division, is assisting our cybersecurity efforts. But if we had the chief cybersecurity adviser positioned in the lab headquarters, which is one of the proposals, there will be a strengthening and a multi-collaborations across the laboratory.
The other piece that I was looking to do - it's all a proposal - is to offer new opportunities for leaders within the lab, that there would be new groupings, new opportunities for strengthening the leadership, and again with the cybersecurity emphasis having Curt Barker, our chief cybersecurity adviser, sitting at headquarters and were able to assist in collaborations across the entire laboratory and having the oversight all the work that is going on in ITL.
It's very hard to think of cybersecurity as being separate from the needs of information technology more broadly, and so in the context of thinking, let's say usability of the context of thinking software assurance, the needs of the standards that are underpinning such vital national programs such as smart grid, health IT, the voting standards. There is a very broad context for what we do in cybersecurity that needs to be reconsidered in how we can be stronger and more able to adapt to the future.
CHABROW: As you know, FISMA, the Federal Information Security Management Act, and directives from the Office of Management and Budget direct federal departments and agencies to follow NIST guidance. I big complaint about FISMA is that it measures whether government officials comply with the rules aimed at safeguarding IT assets rather than determining if those assets, IT systems and data, are truly secure. Is that criticism of FISMA fair?
FURLANI: It's a difficult question because I've seen it from the CIO side, and I do agree that having a checklists is not the most effective way to understand whether your system is secure. We work with our colleagues at OMB, and we try to find ways to do what we can do from a technical prospective. - we are the technical arm not the policy people - and the context of how agencies are measured. That is one of the things we've just done with (NIST Special Publication) 800-53 and working with the intelligence community as well and the DOD to have a baseline of what the standard control sets would be across all federal systems, and then to have a risk-management approach as to which sets are the most applicable to an individual agency or entities needs.
If we can determine your level of risk and the appropriate measures to support that level of risk, that would be a much more effective measure of how things are going. Again, it is kind of like going back to deciding how secure you are going to make your house or your bank vault. You decide a certain level of risk given on where you live or what is inside, and how secure you build your defenses. So, if agencies can make those same decisions and document them, make it clear what those decisions are, and choose accordingly, I think it will be easier understanding across the board. Coming back to 800-53, trying to make the control structure uniform across the entire federal government, we believe that determining what level of risks someone has gives a way that the policymakers may be able to re-identify how things should be measured. We are not the policymakers. We do not make those decisions. We only provide the technical guidance.
When it comes down to making the policy that is the White House's job, not NIST.
CHABROW: I was having a conversation with Ron Ross, one of your leading IT security experts. and he strongly believes that if agencies properly follow the processes to comply with the regulations, IT systems would be secure. What I took from that conversation is that for many people call it human nature, following rules is hard.
FURLANI: We are working with and had some success is trying to have automated tools in place with the FDCC (Federal Desktop Core Configuration) and the SCAP (Security Content Automation Protocol) to identify whether the controls are actually implemented as intended and ways to both verify that they are there as intended and maybe to say what needs to be changed. It is an awful lot to ask of the human mind, to put it that way, to know every machine on every network and exactly how it's been configured. But if we can successfully deploy automated tools - which we have a big conference at the end of October in Baltimore - (that) could be used for this very purpose. Leveraging the community's strengths and the knowledge that is out there, there are ways that we can assist our federal colleagues in obtaining a higher level of security more easily.
CHABROW: Legislation before Congress would de-emphasize among departments and agencies the so-called paper compliance we've been talking about and emphasize real-time evaluation of security of IT systems. How is NIST gearing up for that change?
FURLANI: In the context of strengthening, I mean that is one of the issues I'm trying to propose new ways of using the resources we have more effectively in the proposed reorganization. If we do need to staff up, we have a clear understanding of where our priorities in positions are and what we need to do most urgently. The intent is to be more able to use our resources effectively to address this ever changing environment, because we really have a significant body of expertise that can be applied in appropriate ways, but figuring out what those are (is) why we'll benefit from having the chief cybersecurity adviser sitting up here at headquarters and helping guide these decisions for the laboratory.
CHABROW: Federal laws and directives direct federal agencies and departments to comply with NIST guidance. But in my conversations with local and state chief information officers and chief information security officers, they also seem to follow NIST guidance as well, even if they are not required to do so.
FURLANI: In the context of the state and local governments, we have been very pleased that there has been a lot of understanding of the value of our work, and one reason it is so highly valued, as you know, is that we publish everything we're doing in a draft and take many, many comments, in the ten of thousand of comments, that we respond to and post our responses. ... The private sector, the state and local government, other federal agencies all have some ownership in how the standards come to final form.
CHABROW: Anything else you would like to add?
FURLANI: It is a very exciting time in the context of the president's emphasis on how cybersecurity is to be viewed and his emphasis on transparency and openness, which of course, is one thing this lines up with very easily and trying to figure out how our work and where our technical expertise can have the greatest impact, and help him do what he needs to get done. It is a very exciting time, and again, having the stability in the NIST leadership will certainly help us identify those priorities.
CHABROW: Are you looking forward to new kinds of challenges, new types of ways to measure IT security?
FURLANI: Absolutely. People think of us as only the standards, and you can't really have effective standards unless you can measure that you are meeting those standards, and measurement typically means testing. When we talk about our research efforts and what we have to focus on, it always comes down to what is measurable and how can best provide the testing capability and the context of say, IPv6 right now, we are working on providing a testing capability for the federal government only against the government IPv6 profile, which we helped develop. There are unique characteristics of what this brings to the table.
The measurements, standards and underlying testing that has great potential to effect many of the national priorities and smart grid, health IT, etc. The excitement from where I sit is figuring out where we can have the greatest impact with the resources we have and how best to move the standards, measurements and testing along to help industry and our federal colleagues to take advantage of the innovations that are coming downstream that are giving us these wide open opportunities for new ways of doing things every minute. It seems like every minute of the day. Even when we are talking the pandemic, we are talking about how IT can be used to anticipate and prepare for that. When it comes down to where NIST fits, it's always back to the standards, measurements and testing, and figuring out where our unique contributions can have the greatest impact is my daily job and that's part of the fun.
CHABROW: The idea of a greater emphasis on measurement and real-time testing of systems, for example, is a challenge that I guess, people at NIST would be excited to tackle.
FURLANI: When you think of standards - I am thinking more broadly of the consensus-based industry standards as opposed to the FIPS (Federal Information Processing Standard), FISMA-mandated - we are very active participants in these broader community industry development standards, international standards, but where we bring the particular expertise is our understanding of how to measure and test. And if we can provide interactive feedback to the standards world as the standards are being flushed out, whether this standard can be tested against, what it means to test against it.
What needs to be locked down so that it can be fully understood and vendors can build to it so it can be tested against? Where we contribute in the broader sense in standards is in frequently is our knowledge of testing and how things need to be measured, and it's that feedback loop that builds better standards all the way along. And, of course, the ones that we put out, we do that as almost as part of the air we breathe because of the need to have that loop of testing, measurement, and finally good standards that can be tested against.