Skip to main content

Information Security: Progress Made on Harmonizing Policies and Guidance for National Security and Non-National Security Systems

GAO-10-916 Published: Sep 15, 2010. Publicly Released: Sep 15, 2010.
Jump To:
Skip to Highlights

Highlights

Historically, civilian and national security-related information technology (IT) systems have been governed by different information security policies and guidance. Specifically, the Office of Management and Budget and the Department of Commerce's National Institute of Standards and Technology (NIST) established policies and guidance for civilian non-national security systems, while other organizations, including the Committee on National Security Systems (CNSS), the Department of Defense (DOD), and the U.S. intelligence community, have developed policies and guidance for national security systems. GAO was asked to assess the progress of federal efforts to harmonize policies and guidance for these two types of systems. To do this, GAO reviewed program plans and schedules, analyzed policies and guidance, assessed program efforts against key practices for cross-agency collaboration, and interviewed officials responsible for this effort.

Federal agencies have made progress in harmonizing information security policies and guidance for national security and non-national security systems. Representatives from civilian, defense, and intelligence agencies established a joint task force in 2009, led by NIST and including senior leadership and subject matter experts from participating agencies, to publish common guidance for information systems security for national security and non-national security systems. The harmonized guidance is to consist of NIST guidance applicable to non-national security systems and authorized by CNSS, with possible modifications, for application to national security systems. This harmonized security guidance is expected to result in less duplication of effort and more effective implementation of controls across multiple interconnected systems. The task force has developed three initial publications. These publications, among other things, provide guidance for applying a risk management framework to federal systems, identify an updated catalog of security controls and guidelines, and update the existing security assessment guidelines for federal systems. CNSS has issued an instruction to begin implementing the newly developed guidance for national security systems. Two additional joint publications are scheduled for release by early 2011, with other publications under consideration. Differences remain between guidance for national security and non-national security systems in such areas as system categorization, selection of security controls, and program management controls. NIST and CNSS officials stated that these differences may be addressed in the future but that some may remain because of the special nature of national security systems. While progress has been made in developing the harmonized guidance, additional work remains to implement it and ensure continued progress. For example, task force members have stated their intent to develop plans for future harmonization activities, but these plans have not yet been finalized. In addition, while much of the harmonized guidance incorporates controls and language previously developed for use for non-national security systems, significant work remains to implement the guidance for national security systems. DOD and the intelligence community are developing agency-specific guidance and transition plans for implementing the harmonized guidance, but, according to officials, actual implementation could take several years to complete. Officials stated that this is primarily due to both the large number and criticality of the systems that must be reauthorized under the new guidance. Further, the agencies have yet to fully establish implementation milestones and lack performance metrics for measuring progress. Finally, the harmonization effort has been managed without full implementation of key collaborative practices, such as documenting identified needs and leveraging resources to address those needs, agreed-to agency roles and responsibilities, and processes to monitor and report results. Task force members stress that their informal, flexible approach has resulted in significant success. Nevertheless, further implementation of key collaborative practices identified by GAO could facilitate further progress. GAO is recommending that the Secretary of Commerce and the Secretary of Defense, among other things, update plans for future collaboration, establish timelines for implementing revised guidance, and fully implement key practices for interagency collaboration in the harmonization effort. In comments on a draft of this report, Commerce and DOD concurred with GAO's recommendations.

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of Commerce To assist the joint task force in continuing its efforts to establish harmonized guidance and policies for national security systems and non-national security systems, the Secretary of Commerce should direct the Director of NIST to collaborate with CNSS to complete plans to identify future areas for harmonization efforts.
Closed – Implemented
Through the Joint Task Force Transformation Initiative Working Group, the National Institute of Standards and Technology (NIST), in collaboration with the Committee on National Security systems (CNSS), the Department of Defense (DOD), and the Office of the Director of National Intelligence (ODNI), developed a work plan to create unified information security standards and guidelines. The March 2014 work plan identifies special publications that the task force will revise during the year. For example, according to the work plan, the Task Force will collaborate to revise Special Publication 800-18, Guide for Developing Security Plans for Federal Information Systems, by March 2015, among other information security-related special publications to be revised and finalized. The Task Force's standard operating procedures direct its members to meet annually to determine a mutually agreed upon work plan for the development of common information security standards and guidelines.
Department of Commerce To assist the joint task force in continuing its efforts to establish harmonized guidance and policies for national security systems and non-national security systems, the Secretary of Commerce should direct the Director of NIST to collaborate with CNSS to consider how implementing elements of key collaborative practices, such as documenting roles and responsibilities, needs, resources, and monitoring and reporting mechanisms, may serve to sustain and enhance the harmonization effort.
Closed – Implemented
NIST, in collaboration with CNSS, developed standard operating procedures for the Joint Task Force Transformation Initiative Working Group that define elements of the collaborative process to harmonize national and non-national security systems guidance and policies. The procedures document the roles and responsibilities for task force members such as developing an annual work plan for the development of common information security standards and guidelines. The procedures also direct members to contribute resources to support the development process. Further, the procedures direct task force leadership, in collaboration with its partners, to develop a milestone schedule, a publication review and approval process, and an update and maintenance process for the guidance developed.
Department of Defense To assist the joint task force in continuing its efforts to establish harmonized guidance and policies for national security systems and non-national security systems, the Secretary of Defense should direct CNSS to collaborate with NIST to complete plans to identify future areas for harmonization efforts.
Closed – Implemented
The Joint Task Force Transformation Initiative Working Group, a collaboration between the Committee on National Security systems (CNSS), the National Institute of Standards and Technology (NIST), the Department of Defense (DOD) and Office of the Director of National Intelligence, developed a work plan to create unified information security standards and guidelines. The March 2014 work plan identifies special publications that the task force will revise during the year. For example, according to the work plan, the Task Force will collaborate to revise Special Publication 800-18, Guide for Developing Security Plans for Federal Information Systems, by March 2015, among other information security-related special publications to be revised and finalized. The Task Force's standard operating procedures direct Task Force members to meet annually to determine a mutually agreed upon work plan for the development of common information security standards and guidelines.
Department of Defense To assist the joint task force in continuing its efforts to establish harmonized guidance and policies for national security systems and non-national security systems, the Secretary of Defense should direct CNSS to collaborate with its member organizations, including both DOD and the intelligence community, to include milestones and performance measures in their plans to implement the harmonized CNSS policies and guidance.
Closed – Implemented
In the Joint Task Force Transformation Initiative Working Group's March 2014 annual work plan, the task force identified for revision three NIST special publications addressing information security. While the work plan did not include specific performance metrics, it provided timeframes for revising and releasing the updated guidance. For example, according to the work plan, the task force will collaborate to revise Special Publication 800-18, Guide for Developing Security Plans for Federal Information Systems, by March 2015. The task force work plan also identified SP 800-53A, Assessing Security and Privacy Controls in Federal Information Systems and Organizations, and SP 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories, for revision and release in final form in August 2014 and January 2015, respectively. SP 800-53A remains in draft.
Department of Defense To assist the joint task force in continuing its efforts to establish harmonized guidance and policies for national security systems and non-national security systems, the Secretary of Defense should direct CNSS to collaborate with NIST to consider how implementing elements of key collaborative practices, such as documenting roles and responsibilities, needs, resources, and monitoring and reporting mechanisms, may serve to sustain and enhance the harmonization effort.
Closed – Implemented
CNSS collaborated with NIST to jointly develop standard operating procedures for the Joint Task Force Transformation Initiative Working Group that define elements of the collaborative process to harmonize national and non-national security systems guidance and policies. The procedures document the roles and responsibilities for task force members such as developing an annual work plan for the development of common information security standards and guidelines. The procedures also direct members to contribute resources to support the development process. Further, the procedures direct task force leadership, in collaboration with its partners, to develop a milestone schedule, a publication review and approval process, and an update and maintenance process for the guidance developed.

Full Report

GAO Contacts

Gregory C. Wilshusen
Director
Information Technology and Cybersecurity

Media Inquiries

Sarah Kaczmarek
Managing Director
Office of Public Affairs

Topics

Federal Information Processing StandardsInformation securityInformation systemsInformation technologyProgram managementRisk assessmentSecurity policiesStandardsStrategic information systems planningSystem security plansSystems designPolicies and procedures