Peer-to-Peer: Security Managers Collaborate Through NIST ForumNIST Forum Provides Venue to Share Best Practices
Taking turns, two NIST senior computer scientists Lee Badger and Peter Mell approached the podium to lecture on the information security implications of cloud computing and virtualization.
Five times a year, members of the Federal Computer Security Programs Managers' Forum gather for 2Â½ hours in Gaithersburg to be briefed on challenges faced by those responsible for securing non-national security federal information systems.
Formed 20 years ago, the Forum's membership has soared to about 700 from the initial 50, most joining this decade as e-Government initiatives began to take hold. Membership is free, and open only to federal government employees who manage their agencies' IT security programs, and to some federal contractors with similar responsibilities. Though the Forum counts chief information security officers among its legions, most members are a pay grade or two below the CISO.
Value from Peer Insights
Among the legions of the Forum's growing membership is Elvis Moreland, an information assurance manager for the Air Force Reserves, who characterizes the Forum as "the one place to go" to collaborate with and learn from other information assurance managers.
Social Security Administration IT specialist Bob Burch echoes those sentiments, adding that he finds the forthright discussion among his colleagues and NIST's insights on topics such as certification and accreditation and the trusted Internet connection "as another valuable security training tool for government security professionals."
What five-year member Angela Turnbull likes most about the Forum is having the opportunity to share ideas with her counterparts elsewhere in government -- managers she wouldn't have contact with regularly. Through the Forum, the information systems security officer in the Office of Personnel Management's Federal Investigative Services Division learned how other agencies implemented cross-domain interfaces that proved useful when she helped develop strategies to secure the Clearance Verification System between OPM and the Office of the Director of National Intelligence. "Getting the chance to have candid conversations and brainstorm with other government IT security professionals on critical issues is the greatest benefit of the Forum," Turnbull says.
NIST created the Forum to furnish federal information security managers a channel to share best practices as well as a way for the Institute to provide directly to members its publications and expertise to help them fulfill the requirements of the Federal Information Security Management Act (FISMA).
The Forum also hosts the Federal Agency Security Practices website where information security practitioners can share best practices.
NIST picks timely topics for its bimonthly sessions. Last fall, Mike Smith, program manager for Homeland Security's trusted Internet connection initiative, addressed the Forum on the government's efforts to reduce the number of external Internet connection in the federal government to fewer than 100 from more than 4,000. Fewer connections mean fewer avenue of entry for hackers.
At the Feb. 10 session, Mell explained that an advantage of cloud computing accessing data and applications over the Internet--was greater resiliency; if one server goes down, another one will replace it, according to Forum chair Marianne Swanson, a NIST senior advisor on IT security management. (Because Forum meetings are closed to the public and press, Swanson provided some details on these sessions.) One disadvantage cloud computing presents is that applications and data accessed over the Internet could prove to be attractive targets for hackers. And, if an agency's Internet connection fails, users wouldn't have access to the cloud's applications and data.
In a more technical briefing, Badger explained that the additional software required for virtualization in essence, having one machine act as multiple servers provides an "extra layer for defense and depth," making the device harder to hack. The disadvantage: the extra software entails many lines of code, and if a bug were inserted, it could prove difficult to find and remediate.
A discussion followed both presentations, and this is why the press and public are barred from these sessions, so frank exchange of ideas can take place. "That's the beauty of having it in a closed environment," Swanson says. "The questions asked and the answers provided by an agency could be considered for official use only. Information is exchanged that wouldn't normally be shared at a big conference with participants from outside of government."
For federal government information security managers and professionals interested in joining the Forum, e-mail the following information to firstname.lastname@example.org: