Dramatically reducing the onslaught of cyber attacks against federal agencies is a matter of bringing a certain type of discipline to the government.
Experts say the government needs the same controls that are used in the engineering of a building or an airplane in IT hardware and systems.
Ron Ross, a fellow at the National Institute of Standards and Technology, said that means ensuring everyone involved in a specific program knows their roles.
“The stakeholder can select controls to protect their missions and have trade- off discussions where they ask what is my risk between things like two factor authentication versus encryption?” Ross said at a recent AFCEA Bethesda event. “These are engineering and business decisions that we are not making today. I hope to transition from where we are today, following an army of frameworks, controls and standards, and agencies who are drowning in guidance to instead give them a process that is disciplined and structured, and involves everyone in every step of the way.”
Ross and others readily admitted that implementing this type of discipline takes years, isn’t easy and is not a silver bullet against hackers, nation states and other bad actors.
But it’s a matter of how resilient an organization’s systems are against attack, said Peter Gouldmann, director of information risk programs in the Office of Information Assurance at the State Department.
“It’s the nexus of defense and planning,” Gouldmann said. “It goes back to the fact that the perimeter can’t be relied upon 100 percent so if you start out with a design with resilience in mind, with the knowledge of what’s most important and what you can yield on if you must, then you can have a discussion about protection and resiliency.”
Solving a fundamental problem
To that end, NIST is integrating these concepts in a new document, Special Publication 800-160, Systems Security Engineering: An Integrated Approach to Building Trustworthy Resilient Systems.
The agency released the draft version in May 2014, collected comments over the last year and now is finalizing it.
Ross said version 1.0 should be released by the end of 2015 or early 2016 after it releases a second public draft for comments later this summer.
“We’re trying to solve a fundamental problem of how do we get cybersecurity integrated into the mainstream organizational processes. That is what we’ve been struggling with,” he said. “We took an international standard. It’s an IEEE and ISO standard, joint standard, 15288, and we got permission from IEEE to reference their process steps across the lifecycle. What we are doing in the NIST publication is we are defining what are the security best practices that should take place at every point in that lifecycle from stakeholder requirements to the design to the architecture to the implementation and to the verification and validation, all the way through. The intent there is to make the right people in the organization involved in the decision making process for how do you protect the mission of the business. Today in many cases, we are pushing the security controls from the bottom up, devoid of the context.”
Ross said 800-160, in many ways, is integrating all the work NIST has done over the last decade or more with risk management, security controls and other cyber special publications. He said those individual documents are not going away, but the goal is give agencies a better context for applying these cybersecurity standards.
“Every mission, every business is a little bit different. So once you decide what your critical functions and business objectives are, then the question today is how do I protect myself when I’m depending on information technology for that mission and business success?” he said. “When you take the approach from the top down, you get the stakeholders in involved early, they can be part of the discussion about why you need this security control, why do you have this security requirement, is there a purpose, how will help me protect my business or mission and can I manage the risk after I make those decisions? It’s a more transparent or informed way of doing business. That is the key to sort of shaking up what we are doing now and do something a little different to make sure that outcomes downstream are a little better than we have today.”
Ross said the end goal is to distribute the cyber expertise across the department so everyone from the CFO to the program manager to the training manager to anyone with a stake in the mission success of the agency.
Ross said the reason NIST decided to develop the systems security engineering publication is because of the growing complexity of systems and devices.
The government hasn’t looked at how to deal with this multifaceted challenge of securing not just a network or a combination of networks, but all the devices connected to them and the data that runs through them.
CUI security controls
At the same time, NIST is working on several other publications.
Ross said NIST will begin the process of updating the venerable SP 800-53. He said NIST later this year will ask security experts in and out of government for input on what needs to be added to the granddaddy of security publications, which is scheduled for a refresh in 2016.
NIST also is working closely with the National Archives and Records Administration on its effort to better protect, manage and decontrol controlled unclassified information (CUI).
NARA released a proposed rule May 8 detailing how it wants to standardize how agencies should manage CUI.
Ross said NIST released the final public draft of SP 800-171 on April 2 to help agencies ensure the security of CUI when it goes non- federal entities.
He said NARA is expected to develop a Federal Acquisition Regulation to outline controls for CUI data on contractor networks and systems.