NIST guidelines: Broccoli and cheese
NIST's FISMA project leader explains how agencies can team up to hack away at the time and effort needed to qualify IT products and services for purchase.
For government agencies, complying with new security guidelines from the National Institute of Science and Technology can be the equivalent of eating broccoli: It’s good for you, but that doesn’t mean you enjoy it. With recent announcements, however, there’s a heaping of tasty melted cheese included in the form of potentially saving big bucks.
In a GovInfoSecurity.com interview, NIST’s Federal Information Security Management Act project leader, Ron Ross, shows how agencies can team with other agencies -- or candidly piggyback on their work -- to hack away at the time and effort needed to qualify IT products and services for purchase.
That’s a part of NIST Special Publication 800-37, a guide for agencies to apply risk management techniques to harmonizing IT certification and accreditation across the government. That was just one of a number of announcements NIST made about security issues in late February.
Ross said there are now three distinct types of IT authorizing approaches agencies can use, starting with the traditional single authorization where an agency official does all the work to authorize each system. Now there is also a joint authorization, where multiple authorizing officials can work together to authorize something like a service that many agencies will be using.
And then there is something called a leveraged authorization, where agencies can use the documentation and evidence that other agencies have created as the basis for their own risk decision.
Ross said there has been a change in the culture over the past few years that has required these kinds of changes, together with technological innovations such as cloud computing, that require a more collaborative environment. Civilian, military and intelligence agencies are much more inclined to cooperate and share on these kinds of things.
That all makes sense, but I guess we’ll have to see how this rolls out in practice. Kumbaya has not proven to be a very practical philosophy in the past.
And, by the way, in case people feel like complaining, the lead was inspired by George H.W. Bush. I. actually. like broccoli.