A recently released publication is designed to help facilitate information sharing across civilian and military organizations in the U.S. Government. Produced as a joint effort by the National Institute of Standards and Technology (NIST), the Defense Department and the U.S. intelligence community, the document creates a common information security framework for the federal government and the contractors who support it.
NIST Special Publication 800-37, Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach (NIST SP 800-37), emphasizes building information security capabilities into information systems through state-of-the-practice management, operational and technical security controls. The publication structures the certification and accreditation process into a six-step risk management framework (RMF).
The revised RMF promotes near-real-time risk management and ongoing information system authorization by implementing continuous monitoring processes; using automated support tools as decision-making aids; integrating information security more closely into the enterprise architecture and systems development life cycle; equally emphasizing the selection, implementation, assessment and monitoring of security controls and the authorization of information systems; establishing responsibility and accountability for security controls deployed in organizations’ information systems; and using a risk executive function to link risk management processes at the information system level to those at the organization level.
A major goal of NIST SP 800-37 is to permit the defense and intelligence communities to share information more easily. According to Roger L. Caslow, chief of the Risk and Information Assurance Program Division, Office of the Associate Director of National Intelligence and Chief Information Officer (ADNI/CIO, IC CIO), NIST SP 800-37 and the revised RMF support a balanced risk management approach for federal cybersecurity. The RMF allows security to be built into information systems’ life cycles, supporting adaptability to varying environments across the community. He explains that the document provides an approach to manage risks for both traditional and complex systems, a procedure that was not formalized previously.
Other benefits include incorporating information assurance (IA) into intelligence community enterprise architecture to promote the delivery of IA services as enterprise services. Caslow indicates that the increased efficiencies from leveraging and reusing previous work allows more resources to be directed at risks as opposed to compliance issues. “The most obvious impacts will be seen in how this brings the national security community closer to legislative compliance requirements, assists our inspector general audits, and aligns with the rest of the federal government to support reciprocity,” he says.
For Defense Department users, the new framework is very similar to the department’s current certification and accreditation system, says Dominic A. Cussatt, a senior policy adviser in the Cyber Information Assurance Policy and Strategy Directorate, Office of the Deputy Assistant Secretary of Defense for Cyber Information and Identity Assurance. However, he adds that NIST SP 800-37 provides greater detail, operational scenarios, and addresses several external environments such as partnerships, outsourcing, and supply chain considerations that may prove useful to the department. “For the first time, there will be a common agreed-upon approach for information security risk management across the federal government that will provide a strong basis for reciprocal acceptance of security authorization decisions and facilitated information sharing. We will also share a common lexicon of risk management roles and responsibilities so that we are all speaking the same language and working from the same context,” he says.
Read more about the RMF and additional comments from Caslow at SIGNAL Scape.