The National Institute of Standards and Technology plans to soon update some of its publications, including its risk management framework, to reflect new IT modernization priorities. Ron Ross, the computer scientist leading NIST’s Federal Information Security Management Act (FISMA) implementation, said these three primary goals are to simplify, innovate and automate.
Ross said in a Feb. 28 i360Gov webcast on IT modernization and cyber that NIST has been working on revision five of the Security and Privacy Controls for Federal Information Systems and Organizations for some time. That new revision will involve integrating privacy and security controls into one unified catalog in order to simplify the process.
Similarly, in an effort to connect the C-suite to systems owners, NIST is looking at integrating the cybersecurity framework into the risk management framework 2.0. The idea, he said, is to get the C-suite to buy into the problem space by explaining the impact on the business if the system is breached. That way the enterprise can be more responsibly prepared before tasking the systems owners with protecting it.
NIST is also projecting that it will publish the second volume of its systems security engineering publication, 800-160, on March 21. It will focus on cyber resiliency considerations for the engineering of trustworthy secure systems, taking into account the basic idea that you can’t always stop the bad guys before they breach the system.
“We certainly have to reduce the complexity of the infrastructure we have deployed today because the adversary loves complexity. They hide in the cracks of that complexity,” Ross said.
And that’s something that David Hogue, technical director of the National Security Agency’s Cybersecurity Threat Operations Center, said he deals with on a daily basis protecting DoD’s information networks.
Of the 30 million emails DoD’s networks see each day, Hogue said about 85 percent of them are rejected as either suspicious or known malicious. He also deals with continuous webscanning, because adversaries are always trying to exploit and weaponized vulnerabilities.
Hogue said that’s the new normal: aggressive and disruptive cyber operations, like the weaponization of exploits, and continuous techniques and attempts to overcome defensive measures, like suborning legitimate credentials or services.
Because of this, all traffic at DoD is routed through 10 gateways, ensuring NSA can see 99 percent of the traffic going in and out of DoD, exemplifying NIST’s priority of simplification.
Ross said moving to shared services is one critical way agencies can move toward simplicity. Each agency doesn’t need its own payroll system, for example. Reducing the number of systems would reduce the number of potential vulnerabilities to exploit across government.
And while Ross acknowledged that those systems can take a good deal of time and money to stand up initially, it’s easier and more cost effective than doing that 24 times at 24 different agencies.
Another good move agencies can make is moving to the cloud. Ross said it’s a good idea for agencies to only own what they need.
“Most of the complex IT infrastructure that you have around your organizations, you don’t use most of that technology 24/7,” he said.
And because FedRAMP cloud providers have been assessed and certified to work properly, making this move can simplify agencies’ views of any problem. All they have to do is identify critical assets, and deploy protections.