This is the accessible text file for GAO report number GAO-10-916 
entitled 'Information Security: Progress Made on Harmonizing Policies 
and Guidance for National Security and Non-National Security Systems' 
which was released on September 15, 2010. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as 
part of a longer term project to improve GAO products' accessibility. 
Every attempt has been made to maintain the structural and data 
integrity of the original printed product. Accessibility features, 
such as text descriptions of tables, consecutively numbered footnotes 
placed at the end of the file, and the text of agency comment letters, 
are provided but may not exactly duplicate the presentation or format 
of the printed version. The portable document format (PDF) file is an 
exact electronic replica of the printed version. We welcome your 
feedback. Please E-mail your comments regarding the contents or 
accessibility features of this document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

Report to the Chairwoman, Subcommittee on Government Management, 
Organization, and Procurement, Committee on Oversight and Government 
Reform, House of Representatives: 

United States Government Accountability Office: 
GAO: 

September 2010: 

Information Security: 

Progress Made on Harmonizing Policies and Guidance for National 
Security and Non-National Security Systems: 

GAO-10-916:  

GAO Highlights: 

Highlights of GAO-10-916, a report to the Chairwoman, Subcommittee on 
Government Management, Organization, and Procurement, Committee on 
Oversight and Government Reform, House of Representatives.  

Why GAO Did This Study: 

Historically, civilian and national security-related information 
technology (IT) systems have been governed by different information 
security policies and guidance. Specifically, the Office of Management 
and Budget and the Department of Commerce’s National Institute of 
Standards and Technology (NIST) established policies and guidance for 
civilian non-national security systems, while other organizations, 
including the Committee on National Security Systems (CNSS), the 
Department of Defense (DOD), and the U.S. intelligence community, have 
developed policies and guidance for national security systems. GAO was 
asked to assess the progress of federal efforts to harmonize policies 
and guidance for these two types of systems. To do this, GAO reviewed 
program plans and schedules, analyzed policies and guidance, assessed 
program efforts against key practices for cross-agency collaboration, 
and interviewed officials responsible for this effort.  

What GAO Found: 

Federal agencies have made progress in harmonizing information 
security policies and guidance for national security and non-national 
security systems. Representatives from civilian, defense, and 
intelligence agencies established a joint task force in 2009, led by 
NIST and including senior leadership and subject matter experts from 
participating agencies, to publish common guidance for information 
systems security for national security and non-national security 
systems. The harmonized guidance is to consist of NIST guidance 
applicable to non-national security systems and authorized by CNSS, 
with possible modifications, for application to national security 
systems. This harmonized security guidance is expected to result in 
less duplication of effort and more effective implementation of 
controls across multiple interconnected systems. The task force has 
developed three initial publications. These publications, among other 
things, provide guidance for applying a risk management framework to 
federal systems, identify an updated catalog of security controls and 
guidelines, and update the existing security assessment guidelines for 
federal systems. CNSS has issued an instruction to begin implementing 
the newly developed guidance for national security systems. Two 
additional joint publications are scheduled for release by early 2011, 
with other publications under consideration. Differences remain 
between guidance for national security and non-national security 
systems in such areas as system categorization, selection of security 
controls, and program management controls. NIST and CNSS officials 
stated that these differences may be addressed in the future but that 
some may remain because of the special nature of national security 
systems.  

While progress has been made in developing the harmonized guidance, 
additional work remains to implement it and ensure continued progress. 
For example, task force members have stated their intent to develop 
plans for future harmonization activities, but these plans have not 
yet been finalized. In addition, while much of the harmonized guidance 
incorporates controls and language previously developed for use for 
non-national security systems, significant work remains to implement 
the guidance for national security systems. DOD and the intelligence 
community are developing agency-specific guidance and transition plans 
for implementing the harmonized guidance, but, according to officials, 
actual implementation could take several years to complete. Officials 
stated that this is primarily due to both the large number and 
criticality of the systems that must be reauthorized under the new 
guidance. Further, the agencies have yet to fully establish 
implementation milestones and lack performance metrics for measuring 
progress. Finally, the harmonization effort has been managed without 
full implementation of key collaborative practices, such as 
documenting identified needs and leveraging resources to address those 
needs, agreed-to agency roles and responsibilities, and processes to 
monitor and report results. Task force members stress that their 
informal, flexible approach has resulted in significant success. 
Nevertheless, further implementation of key collaborative practices 
identified by GAO could facilitate further progress.  

What GAO Recommends: 

GAO is recommending that the Secretary of Commerce and the Secretary 
of Defense, among other things, update plans for future collaboration, 
establish timelines for implementing revised guidance, and fully 
implement key practices for interagency collaboration in the 
harmonization effort. In comments on a draft of this report, Commerce 
and DOD concurred with GAO’s recommendations.  

View [hyperlink, http://www.gao.gov/products/GAO-10-916] or key 
components. For more information, contact Gregory C. Wilshusen at 
(202) 512-6244 or wilshuseng@gao.gov.  

[End of section]  

Contents: 

Letter: 

Background: 

Progress Is Being Made to Harmonize IT Security Guidance: 

Conclusions: 

Recommendations for Executive Action: 

Agency Comments and Our Evaluation: 

Appendix I: Objective, Scope, and Methodology: 

Appendix II: Comments from the Department of Commerce: 

Appendix III: GAO Contact and Staff Acknowledgments: 

Tables: 

Table 1: Joint Task Force Completed and Planned Publications: 

Table 2: Estimated Dates for Revised DOD Guidance and Associated 
Publications: 

Table 3: Joint Task Force Efforts in Key Practice Areas: 

Figures: 

Figure 1: NIST Risk Management Framework: 

Figure 2: Unified Information Security Framework: 

Abbreviations: 

CIO: Chief Information Officer: 

CNSS: Committee on National Security Systems: 

CNSSI-1253: Committee on National Security Systems Instruction 1253: 

DCID: Director Central Intelligence Directive: 

DIACAP: DOD Information Assurance Certification and Accreditation 
Process: 

DOD: Department of Defense: 

DODI: Department of Defense Instruction: 

FIPS: Federal Information Processing Standard: 

FISMA: Federal Information Security Management Act: 

NIST: National Institute of Standards and Technology: 

NSA: National Security Agency: 

ODNI: Office of the Director of National Intelligence: 

OMB: Office of Management and Budget: 

[End of section] 

United States Government Accountability Office: 
Washington, DC 20548: 

September 15, 2010: 

The Honorable Diane Watson: 
Chairwoman: 
Subcommittee on Government Management, Organization, and Procurement: 
Committee on Oversight and Government Reform: 
House of Representatives:  

Dear Chairwoman Watson:  

Historically, civilian and national security-related information 
technology (IT) systems have been governed by different information 
security policies and guidance. However, over time, factors such as 
the increasing interconnectedness of computer systems have led to 
these systems facing similar threats. 

Development of a unified information security framework that 
harmonizes security standards and guidance for national security 
systems and non-national security systems has been highlighted as 
having the potential to improve information security and avoid 
unnecessary and costly duplication of effort. As agreed with your 
office, our objective was to assess the progress of federal efforts to 
harmonize policies and guidance for national security systems and non-
national security systems. 

To identify efforts to harmonize policies and guidance for national 
security systems and non-national security systems, we identified 
completed and planned efforts by the Department of Commerce's National 
Institute of Standards and Technology (NIST), Department of Defense 
(DOD), Committee on National Security Systems (CNSS), and the Office 
of the Director of National Intelligence (ODNI) to issue joint 
information security policies and guidance. We then reviewed related 
publications, guidance, plans, and other documents from these 
organizations to identify differences in existing guidance and plans 
to resolve those differences and conducted interviews with officials 
to discuss these differences, the status of harmonization efforts, and 
the implications for the security of information systems. We also 
evaluated completed and planned activities against criteria including 
prior GAO work on key practices to enhance and sustain cross-agency 
collaboration. Appendix I contains additional details on the 
objective, scope, and methodology of our review. 

We conducted this performance audit from February 2010 to September 
2010 in accordance with generally accepted government auditing 
standards. Those standards require that we plan and perform the audit 
to obtain sufficient, appropriate evidence to provide a reasonable 
basis for our findings and conclusions based on our audit objectives. 
We believe that the evidence obtained provides a reasonable basis for 
our findings and conclusions based on our audit objective. 

Background: 

The Federal Information Security Management Act (FISMA) specifies 
requirements for protecting federal systems and data. Enacted into law 
on December 17, 2002, as title III of the E-Government Act of 2002, 
FISMA requires every federal agency, including agencies with national 
security systems,[Footnote 1] to develop, document, and implement an 
agencywide information security program to secure the information and 
information systems that support the operations and assets of the 
agency, including those provided or managed by another agency, 
contractor, or other source. Specifically, this program is to include: 

* periodic assessments of the risk and magnitude of harm that could 
result from the unauthorized access, use, disclosure, disruption, 
modification, or destruction of information or information systems; 

* risk-based policies and procedures that cost-effectively reduce 
information security risks to an acceptable level and ensure that 
information security is addressed throughout the life cycle of each 
information system; 

* periodic testing and evaluation of the effectiveness of information 
security policies, procedures, and practices that include testing of 
management, operational, and technical controls for every system 
identified in the agency's required inventory of major information 
systems; 

* subordinate plans for providing adequate information security for 
networks, facilities, and systems or groups of information systems; 

* security awareness training for agency personnel, including 
contractors and other users of information systems that support the 
operations and assets of the agency; 

* a process for planning, implementing, evaluating, and documenting 
remedial action to address any deficiencies in the information 
security policies, procedures, and practices of the agency; 

* procedures for detecting, reporting, and responding to security 
incidents; and: 

* plans and procedures to ensure continuity of operations for * 
information systems that support the operations and assets of the 
agency. 

FISMA also assigns specific information security responsibilities to 
the Office of Management and Budget (OMB), NIST, agency heads, and 
agency chief information officers (CIO). Generally, OMB is responsible 
for developing policies and guidance and overseeing agency compliance 
with FISMA, NIST is responsible for developing technical standards, 
and agency heads and CIOs are responsible for ensuring that each 
agency implements the information security program and other 
requirements of FISMA. 

These responsibilities do not, however, apply equally to all agency 
information systems. FISMA differs in its treatment of national 
security and non-national security systems. While FISMA requires each 
federal agency to manage its information security risks through its 
agencywide information security program, the law recognizes a long- 
standing division between requirements for national security and non- 
national security systems that limits civilian management and 
oversight of information systems supporting military and intelligence 
activities.[Footnote 2] 

FISMA recognizes the division between national security systems and 
non-national security systems in two ways. First, to ensure compliance 
with applicable authorities, the law requires agencies using national 
security systems to implement information security policies and 
practices as required by standards and guidelines for national 
security systems in addition to the requirements of FISMA. Second, the 
responsibilities assigned by FISMA to OMB and NIST are curtailed. 
OMB's responsibilities are reduced with regard to national security 
systems to oversight and reporting to Congress on agency compliance 
with FISMA. OMB's annual review and approval or disapproval of agency 
information security programs, for example, does not include national 
security systems.[Footnote 3] Similarly, according to FISMA, NIST-
developed standards, which are mandatory for non-national security 
systems, do not apply to national security systems. FISMA limits NIST 
to developing, in conjunction with DOD and the National Security 
Agency (NSA), guidelines for agencies on identifying an information 
system as a national security system, and for ensuring that NIST 
standards and guidelines are complementary with standards and 
guidelines developed for national security systems. FISMA also 
requires NIST to consult with other agencies to ensure use of 
appropriate information security policies, procedures, and techniques 
in order to improve information security and avoid unnecessary and 
costly duplication of effort. 

In light of this division between national security and non-national 
security systems, NIST is responsible for developing standards and 
guidance for non-national security information systems. For example, 
NIST issues mandatory Federal Information Processing Standards (FIPS) 
and special publications that provide guidance for information systems 
security for non-national security systems in federal agencies. 

For national security systems, National Security Directive 42 
established CNSS, an organization chaired by the Department of 
Defense, to, among other things, issue policy directives and 
instructions that provide mandatory information security requirements 
for national security systems.[Footnote 4] In addition, the defense 
and intelligence communities develop implementing instructions and may 
add additional requirements where needed. 

FISMA provides a further exception to compliance with NIST standards. 
It permits an agency to use more stringent information security 
standards if it certifies that its standards are at least as stringent 
as the NIST standards and are otherwise consistent with policies and 
guidelines issued under FISMA. It is on the basis of this authority 
that the Department of Defense establishes information security 
standards for all of its systems (national security and non-national 
security systems) that are more stringent than the standards required 
for protecting non-national security systems under FISMA. For example, 
the DOD directive establishing the Department of Defense Information 
Assurance Certification and Accreditation Process (DIACAP) for 
authorizing the operation of DOD information systems requires annual 
certification that the DIACAP process is current and more stringent 
than NIST standards under FISMA. 

NIST Guidance Provides Basic Framework for Security of Non-National 
Security Systems: 

To help implement the provisions of FISMA for non-national security 
systems, NIST has developed a risk management framework for agencies 
to follow in developing information security programs. The framework 
is specified in NIST Special Publication (SP) 800-37, revision 1, 
Guide for Applying the Risk Management Framework to Federal 
Information Systems: A Security Life Cycle Approach,[Footnote 5] which 
provides agencies with guidance for applying the risk management 
framework to federal information systems.[Footnote 6] The framework in 
SP 800-37 consists of security categorization, security control 
selection and implementation, security control assessment, information 
system authorization, and security control monitoring. It also 
provides a process that integrates information security and risk 
management activities into the system development life cycle. Figure 1 
provides an illustration of the framework and notes relevant security 
guidance for each part of the framework. 

Figure 1: NIST Risk Management Framework: 

[Refer to PDF for image: illustration]  

The illustration depicts a circle with six components encircling the 
core of the Security Life Circle:  

Starting point: 
Categorize information system: 
FIPS 199/SP 800-60; Define criticality/sensitivity of information 
system according to potential worst-case, adverse impact to 
mission/business.  

Select security controls: 
FIPS 200/SP 800-53; Select baseline security controls; apply tailoring 
guidance and supplement controls as needed based on risk assessment.  

Implement security controls: 
SP 800-70; Implement security controls within enterprise architecture 
using sound systems engineering practices; apply security 
configuration settings.  

Assess security controls: 
SP 800-53A; Determine security control effectiveness(i.e., controls 
implemented correctly, operating as intended, meeting security 
requirements for information system).  

Authorize information system: 
SP 800-37; Determine risk to organizational operations and assets, 
individuals, other organizations, and the Nation; if acceptable, 
authorize operation.  

Monitor security state: 
SP 800-37/SP 800-53A; Continuously track changes to the information 
system that may affect security controls and reassess control 
effectiveness.  

Source: GAO analysis of NIST data.  

[End of figure] 

Other key NIST publications related to the risk management framework 
include the following: 

* Federal Information Processing Standard (FIPS) 199, Standards for 
Security Categorization of Federal Information and Information 
Systems.[Footnote 7] Provides agencies with criteria to identify and 
categorize their information systems based on providing appropriate 
levels of information security according to a range of risk levels. 

* NIST SP 800-60, revision 1, Guide for Mapping Types of Information 
and Information Systems to Security Categories.[Footnote 8] Provides 
guidance for implementing FIPS 199. 

* FIPS 200, Minimum Security Requirements for Federal Information and 
Information Systems.[Footnote 9] Provides minimum information security 
requirements for protecting the confidentiality, integrity, and 
availability of federal information systems. 

* NIST SP 800-53 revision 3, Recommended Security Controls for Federal 
Information Systems and Organizations.[Footnote 10] Provides 
guidelines for selecting and specifying security controls for 
information systems. 

* NIST SP 800-70, revision 1, National Checklist Program for IT 
Products-Guidelines for Checklist Users and Developers.[Footnote 11] 
Provides guidance for using the National Checklist Repository to 
select a security configuration checklist, which may include items 
such as security controls used in FISMA system assessments.[Footnote 
12] 

* NIST SP 800-53A, revision 1, Guide for Assessing the Security 
Controls in Federal Information Systems.[Footnote 13] Provides 
agencies with guidance for building security assessment plans and 
procedures for assessing the effectiveness of security controls 
employed in information systems. 

In applying the provisions of FIPS 200, federal civilian agencies with 
non-national security systems are to first categorize their 
information and systems as required by FIPS 199, and then should 
select an appropriate set of security controls from NIST SP 800-53 to 
satisfy their minimum security requirements. This helps to ensure that 
appropriate security requirements and security controls are applied to 
all non-national security systems. Next, controls are implemented and 
information systems are authorized using NIST SP 800-70. Finally, 
agencies assess, test, and monitor the effectiveness of the 
information security controls using the guidance in NIST SP 800-53A. 
Many other FIPS and NIST special publications provide guidance for the 
implementation of FISMA requirements for non-national security systems. 

CNSS Provides the Basic Security Framework for National Security 
Systems with Defense and Intelligence Agencies Providing Additional 
Guidance: 

For national security systems, organizations responsible for 
developing policies, directives, and guidance include CNSS, DOD, and 
the intelligence community. The processes and criteria established by 
this guidance are often similar to those required by NIST guidance for 
non-national security systems. For example, security guidance for 
certification and accreditation requires risk assessments, 
verification of security requirements in a security plan or other 
document, testing of security controls, and formal authorization by an 
authorizing official. Roles of these agencies and key security 
guidance that they have issued are described below. 

Committee on National Security Systems: 

CNSS provides a forum for the discussion of policy issues, sets 
national policy, and provides direction, operational procedures, and 
guidance for the security of national security systems. The Department 
of Defense chairs the committee under the authorities established by 
National Security Directive 42, issued in July 1990.[Footnote 14] This 
directive designates the Secretary of Defense and the Director of the 
National Security Agency as the Executive Agent and National Manager 
for national security systems, respectively. 

The committee has voting representatives from 21 departments and 
agencies.[Footnote 15] In addition, nonvoting observers such as NIST 
participate in meetings, provide comments and suggestions, and 
participate in subcommittee and working group activities. The 
committee organizes its activities by developing an annual program of 
work and plan of action and milestones. NSA provides logistical and 
administrative support for the committee, including a Secretariat 
manager who organizes the day-to-day activities of the committee. 

Since its inception, the committee has issued numerous policies, 
directives, and instructions that are binding upon all federal 
departments and agencies for national security systems. Key 
publications include the Information Assurance Risk Management Policy 
for National Security Systems,[Footnote 16] National Policy on 
Certification and Accreditation of National Security 
Telecommunications and Information Systems,[Footnote 17] National 
Information Assurance Certification and Accreditation Process, 
[Footnote 18] and a National Information Assurance Glossary.[Footnote 
19] 

Department of Defense: 

To defend DOD information systems and computer networks from 
unauthorized or malicious activity, the department established an 
Information Assurance Framework in its 8500 series of guidance. This 
framework allows DOD to ensure the security of its information systems 
by providing standards and support to its component information 
assurance programs. DOD uses this framework for all of its IT systems. 
DOD directive 8500.01 and implementing instruction 8500.2, which 
documents information security controls, are the primary policy 
documents that describe this framework. In addition, the Department of 
Defense Information Assurance Certification and Accreditation Process, 
published in November 2007, is documented in DOD 8510.01 and the 
online DIACAP knowledge service. Also, the establishment of an 
information security program is described in DOD regulation 5200.01-R, 
dated January 1997. 

Intelligence Community: 

The intelligence community is a federation of executive branch 
agencies and organizations that work separately and together to 
conduct intelligence activities necessary for the conduct of foreign 
relations and the protection of the national security of the United 
States.[Footnote 20] Member organizations include intelligence 
agencies, military intelligence, and civilian intelligence and 
analysis offices within federal executive departments. The community 
is led by the Director of National Intelligence, who oversees and 
directs the implementation of the National Intelligence Program. 

Historically, the intelligence community has had separate instructions 
related to information system security. For example, Director of 
Central Intelligence Directive (DCID) 6/3, Protecting Sensitive 
Compartmented Information within Information Systems,[Footnote 21] and 
its implementation manual provided policy and procedures for the 
security and protection of systems that create, process, store, and 
transmit intelligence information, and defined and mandated the use of 
a risk management process and a certification and accreditation 
process. 

Federal Agencies Have Had Disparate Information Security Guidance: 

Prior to efforts to harmonize information security guidance, federal 
organizations had developed separate, and sometimes disparate, 
guidance for information security. For example, the National Security 
Agency used the National Information Systems Certification and 
Accreditation Process, the intelligence community used DCID 6/3, and 
DOD used the Department of Defense Information Technology Security 
Certification and Accreditation Process, which later became the DIACAP. 

According to the Federal CIO Council's strategic plan and federal 
officials in DOD and the intelligence community, these processes had 
some elements in common;[Footnote 22] however, the variances in 
guidance were sufficient to cause several unintended and undesirable 
consequences for the federal community. For example, both DOD and NIST 
had catalogs of information security controls that covered similar 
areas but had different formats and structures. 

As a result, according to the CIO Council, organizations responsible 
for providing oversight of federal information systems such as members 
of the CIO Council and CNSS could not easily assess the security of 
federal information systems. In addition, reciprocity--the mutual 
agreement among participating enterprises to accept each other's 
security assessments--was hampered because of the apparent differences 
in interpreting risk levels. Because agencies were not confident in 
their understanding of other agencies' certification and accreditation 
results, they sometimes felt it necessary to recertify and reaccredit 
information systems, expending resources, including time and money, 
which may not have been necessary.[Footnote 23] 

Progress Is Being Made to Harmonize IT Security Guidance: 

A task force consisting of representatives from civilian, defense, and 
intelligence agencies has made progress in establishing a unified 
information security framework for national security and non-national 
security systems. Specifically, NIST has published three initial 
documents developed by a task force working group to harmonize 
information security standards for national security and non-national 
security systems, and is scheduled to publish two more by early 2011. 
While much has been accomplished, differences remain between the 
guidance for the two types of systems, and significant work remains to 
implement the harmonized guidance on national security systems, such 
as developing supporting agency-specific guidance and establishing 
specific time frames and performance measures for implementation. 
Further, while the task force has implemented elements of key 
practices for interagency coordination that GAO has identified, much 
of this implementation is not documented. The lack of fully 
implemented practices, such as those that assign responsibilities and 
measure progress, could limit the task force's continued progress as 
personnel change and resources are allocated among other agency 
activities. 

A Joint Task Force Has Been Established to Create a Unified 
Information Security Framework: 

According to NIST and CNSS officials, a Joint Task Force 
Transformation Initiative Interagency Working Group was formed in 
April 2009 with representatives from NIST, DOD, and ODNI to produce a 
unified information security framework for the federal government. 
Instead of having parallel publications for national security systems 
and non-national security systems for risk management and systems 
security, the intent, according to members of the joint task force, is 
to have common publications to the maximum extent possible. According 
to officials involved in the task force, harmonized security guidance 
is expected to result in less duplication of effort, lower maintenance 
costs, and more effective implementation of controls across multiple 
interconnected systems. In addition, the harmonized guidance should 
make it simpler and more cost-effective for vendors and contractors to 
supply security products and services to the federal government. 

The task force arose out of prior efforts to harmonize security 
guidance among national security systems. In 2006, the ODNI and DOD 
CIOs began an initiative to harmonize the two organizations' 
certification and accreditation guidance and processes for IT systems. 
For example, in July 2006, DOD and the intelligence community 
established a Unified Cross Domain Management Office to address 
duplication and uncoordinated security activities and improve the 
security posture of the agencies' highest-risk security devices. In 
January 2007, the DOD and ODNI CIOs published seven certification and 
accreditation transformation goals that included development of common 
security controls. According to DOD, by July 2008, DOD and the 
intelligence community were working on six documents that mirrored 
similar NIST risk management and information security publications. In 
August 2008, the CIOs signed an agreement adopting common guidelines 
to streamline and build reciprocity into the certification and 
accreditation process. 

As this effort progressed, the agencies involved determined that it 
would benefit from closer engagement with NIST and the development of 
common security guidance. NIST had been informally involved in the 
harmonization effort for several years, but, according to CNSS, DOD, 
and ODNI, during the CNSS annual conference in the spring of 2009, the 
CNSS community decided to more actively engage NIST and agree to use 
NIST documents as the basis for information security controls and risk 
management. The committee also agreed to complete policies and 
instructions to support use of the NIST publications. Following the 
conference, a memo from the Acting CIO for the intelligence community 
stated that the intelligence community intended to follow CNSS 
guidance that pointed to related NIST publications. 

NIST currently leads the working group and the task force publication 
development process. Working group members are selected for each 
publication from participating agencies and support contractors to 
provide subject matter expertise and administrative support. In 
addition, the task force is guided by a senior leadership team from 
NIST, CNSS, DOD, and ODNI that reviews and approves the harmonized 
publications. 

As illustrated in figure 2, key areas targeted for the common guidance 
include risk management, security categorization, security controls, 
security assessment procedures, and the security authorization process 
contained in the NIST risk management framework. NIST develops 
standards and guidance for non-national security systems, including 
most systems in civilian agencies. CNSS provides policy, directives, 
and instructions binding upon all U.S. government departments and 
agencies for national security systems, including systems in the 
intelligence community and DOD (e.g., classified systems). Since NIST 
does not have authority over national security systems, CNSS issuances 
authorize the use of the harmonized NIST guidance developed by the 
joint task force. As necessary, CNSS also develops additional 
information security requirements to accommodate the unique nature of 
national security systems. Finally, individual agencies may create 
their own specific implementing guidance. 

Figure 2: Unified Information Security Framework: 

[Refer PDF for image: illustration]  

Foundational set of information security standards and guidance:  

* Risk management (organization, mission, information system); 
* Security categorization (information criticality/sensitivity); 
* Security controls (safeguards and countermeasures); 
* Security assessment procedures; 
* Security authorization process:  

NIST Guidance: 
Modified with: 
Agency-specific information security guidance; 
Applied to: 
Non-national security systems.  

CNSS guidance: 
Modified with: 
Agency-specific information security guidance; 
Applied to: 
National security systems.  

Sources: NIST and CNSS.  

Note: The foundational set of common information security requirements 
links to the requirements in the NIST Risk Management Framework.  

[End of figure]  

Joint Task Force Has Published Three Initial Harmonized Guidance 
Publications: 

The joint task force has published three of five planned publications 
containing harmonized information security guidance and is actively 
developing the final two publications. These include a new publication 
as well as revisions to existing NIST guidance, as summarized in table 
1. In addition, the task force is considering collaboration on two 
additional publications. 

Table 1: Joint Task Force Completed and Planned Publications: 

Publication: NIST SP 800-53, revision 3, Recommended Security Controls 
for Federal Information Systems and Organizations; 
Issue date: August 2009. 

Publication: NIST SP 800-37, revision 1, Guide for Applying the Risk 
Management Framework to Federal Information Systems: A Security Life 
Cycle Approach; 
Issue date: February 2010. 

Publication: NIST SP 800-53A, revision 1, Guide for Assessing the 
Security Controls in Federal Information Systems and Organizations; 
Issue date: June 2010. 

Publication: NIST SP 800-39, Enterprise-Wide Risk Management: 
Organization, Mission, and Information Systems View; 
Issue date: January 2011 (planned). 

Publication: NIST SP 800-30, revision 1, Guide for Conducting Risk 
Assessments; 
Issue date: February 2011 (planned). 

Source: NIST.  

[End of table]  

As of June 2010, the three publications developed by the joint task 
force and released by NIST are the following: 

* NIST SP 800-53, revision 3, Recommended Security Controls for 
Federal Information Systems and Organizations, was published in August 
2009. It contains the catalog of security controls and technical 
guidelines that federal agencies will use to protect federal 
information and information systems, and is an integral part of the 
unified information security framework for the entire federal 
government. The security controls within revision 3 provide updated 
security controls developed by the joint task force members that 
included NIST, CNSS, DOD, and ODNI with specific information from 
databases of known cyber attacks and threat information. According to 
the task force leader and the CNSS manager, new controls and 
enhancements were added as a result of the harmonization effort. For 
example, control AC-4, related to Information Flow Enforcement, had 
several enhancements added because of input from the national security 
systems community. 

* NIST SP 800-37, revision 1, Guide for Applying the Risk Management 
Framework to Federal Information Systems: A Security Life Cycle 
Approach, was released in February 2010. This publication replaces the 
traditional certification and accreditation process with the six-step 
risk management framework, including a process of assessment and 
authorization. [Footnote 24] According to the publication, the revised 
process emphasizes building information security capabilities into 
federal information systems through the application of security 
controls while implementing an ongoing monitoring process. It also 
provides information to senior leaders to facilitate better decisions 
regarding the acceptance of risk arising from the operation and use of 
information systems. According to the task force leader and the CNSS 
manager, the publication contains few direct changes as a result of 
the harmonization effort. Rather, task force representatives 
determined that the existing NIST risk management framework contained 
the same concepts and content as existing national security-related 
guidance, such as the DIACAP. 

* NIST SP 800-53A, revision 1, Guide for Assessing the Security 
Controls in Federal Information Systems and Organizations, was 
published in June 2010. The updated security assessment guideline is 
intended to incorporate leading practices in information security from 
DOD, the intelligence community, and civil agencies and includes 
security control assessment procedures for both national security and 
non-national security systems. The guidelines for developing security 
assessment plans are intended to support a wide variety of assessment 
activities in all phases of the system development life cycle, 
including development, implementation, and operation. According to the 
task force leader and the CNSS manager, while there were few direct 
changes to the content of SP 800-53A as a result of the harmonization 
effort, task force members are collaborating on revising the 
assessment cases, which provide additional instruction on techniques 
for testing specific controls. According to the leader, this effort is 
to be completed by the end of 2010. 

Because CNSS, not NIST, has the authority to issue binding guidance 
for national security systems, CNSS has issued supplemental guidance 
for implementing NIST SP 800-53: CNSS Instruction 1253 (CNSSI-1253), 
Security Categorization and Control Selection for National Security 
Systems, which was published in October 2009. This instruction states 
that the Director of National Intelligence and the Secretary of 
Defense have directed that the processes described in NIST SP 800-53, 
revision 3 (as amended by the instruction), and the NIST security and 
programmatic controls contained in 800-53 apply to national security 
systems. Using the controls in 800-53, this instruction provides 
categorization and corresponding baseline sets of controls for 
national security systems. 

CNSS also recently published a revised common glossary of information 
security terms in support of the goal of adopting a common lexicon for 
the national security and non-national security communities.[Footnote 
25] This revised glossary harmonizes terminology used by DOD, the 
intelligence community, and civil agencies (which use a NIST-developed 
glossary) to enable all three to use the same terminology (and move 
toward shared documentation and processes). 

According to the CNSS Secretariat manager, in December 2010 CNSS plans 
to revise an existing policy, CNSSP 6, to generally direct the use of 
NIST publications, including SP 800-37 and SP 800-53A, as common 
guidance and will include related CNSS instructions (if any) on how to 
implement the NIST guidance for national security systems.[Footnote 
26] This will coincide closely with the publication of NIST SP 800-39 
and SP 800-30, revision 1. The CNSS manager stated that once common 
guidance developed jointly with NIST is finalized, CNSS needs to 
determine whether it will need supplemental instructions because of 
the uniqueness of national security systems (e.g., their special 
operating environments or the classified information they contain). 
However, CNSS officials said that the committee intends to keep this 
unique guidance to a minimum and use the common security guidance to 
the maximum extent possible. 

The joint task force's development schedule lists two additional joint 
task force publications: 

* NIST SP 800-39, Enterprise-Wide Risk Management: Organization, 
Mission, and Information Systems View, planned for publication in 
January 2011, is to provide an approach for managing that portion of 
risk resulting from the incorporation of information systems into the 
mission and business processes of an organization. 

* NIST SP 800-30, revision 1, Guide for Conducting Risk Assessments, 
planned for publication in February 2011, is a revision of an existing 
NIST publication that will be refocused to address risk assessments as 
part of the risk management framework. 

In addition to the two planned publications, the joint task force 
leader and the CNSS Secretariat manager stated that two other 
publications are under consideration for collaboration: 

* Guide for Information System Security Engineering, under 
consideration for publication in September 2011, and: 

* Guide for Software Application Security, under consideration for 
publication in November 2011. 

The estimated completion dates for these future publications are later 
than originally planned. For example, as of January 2010, SP 800-39 
and SP 800-30, revision 1, were to have been completed in August 2010, 
and the information system security engineering guide was to be 
completed in October 2010. According to the task force leader, the 
delays are due to additional work and coordination activities that 
needed to be completed, the breadth and depth of comments in the 
review process, and challenges in coordination with other task force 
members. 

Task force members acknowledge that there are additional areas of IT 
security guidance where it may be possible to collaborate, but they 
have not yet documented plans for future efforts. The CNSS manager 
stated that the committee intends to update its existing plan of 
action and milestones in fall 2010, but this has not yet been 
completed. Until the task force defines topics and deadlines for 
future efforts, opportunities for additional collaboration will likely 
be constrained. 

Differences Remain between Guidance for National Security Systems and 
Non-National Security Systems: 

Despite the efforts to harmonize information security guidance, many 
differences remain. These include differences in system 
categorization, selection of security controls, and use of program 
management controls. 

System categorization. Different methodologies are used to categorize 
the impact level of the information contained in non-national security 
systems and national security systems. For non-national security 
systems, SP 800-53 applies the concept of a high-water mark for 
categorizing the impact level of the system, as defined in FIPS 199. 
This means that the system is categorized according to the worst-case 
potential impact of a loss of confidentiality, integrity, or 
availability of information or an information system. For example, if 
loss of confidentiality was deemed to be high impact, but loss of 
integrity and availability were deemed to be moderate impact, the 
system would be considered a high-impact system. As a result, SP 800-
53 contains three recommended baselines (starting points) for control 
selection--low, moderate, and high. 

By contrast, while national security systems will use the controls in 
SP 800-53, the impact level will be determined using CNSSI-1253, not 
FIPS 199. CNSSI-1253 uses a more granular structure in which the 
potential impact levels of loss of confidentiality, integrity, and 
availability are individually used to select categorizations. As a 
result, while FIPS 199 has three impact levels (low, moderate, and 
high), CNSSI-1253 has 27 (all possible combinations of low, moderate, 
and high for confidentiality, integrity, and availability). 

According to an official at NIST, use of the high-water mark is easier 
for civilian agencies to implement for non-national security systems, 
and provides a more conservative approach by employing stronger 
controls by default. According to CNSS, retaining the more granular 
impact levels reduces the need for subsequent tailoring of controls. 
Officials involved in the harmonization effort stated that while they 
may attempt to reconcile the approaches in the future, there are no 
current plans to do so. 

Security control selection. In our analysis of NIST and CNSS security 
control baselines for non-national security systems and national 
security systems, we determined that the new national security system 
baselines based on SP 800-53 incorporated almost all of the controls 
found in comparable non-national security baselines, as well as 
additional security controls and enhancements.[Footnote 27] For 
example, a high-impact system under the non-national security system 
baseline includes 328 controls and subcontrols. The equivalent 
baseline for a national security system includes 397 controls and 
subcontrols, out of which 326 were shared between the two baselines. 
Both CNSS and NIST officials stated that their baselines represent the 
starting point for determining which controls are appropriate for an 
individual system and that controls and enhancements may be removed or 
added as needed in accordance with established guidance. 

CNSS officials stated that national security systems provide unique 
capabilities (e.g., intelligence, cryptographic, or command and 
control), operate in diverse environments, and are subject to advanced 
cyber threats. As a result, national security systems may require more 
protection and thus more security controls than non-national security 
systems. Also, according to CNSS officials, while security controls 
for non-national security systems are often aimed at a broad IT 
environment, guidance for national security systems is developed with 
added specificity and a focus on vulnerabilities, threats, and 
countermeasures to protect classified information. 

However, NIST officials noted some non-national security systems may 
require levels of protection that are equal to the levels for national 
security systems in order to counter cyber attacks. For example, 
certain high-impact non-national security systems may be supporting 
applications that are part of critical infrastructure. Therefore, the 
mission criticality of some non-national security systems may require 
the same control techniques used by national security systems to 
counter cyber attacks. 

Program management controls. NIST SP 800-53, revision 3, identifies 11 
program management controls that agencies are required to implement 
organizationwide to support all security control baselines for non- 
national security systems. CNSSI-1253 states that these controls are 
optional. A CNSS official stated that the implementation of program 
management controls is optional to give the CNSS community flexibility 
to implement them in a way that best fits their information security 
program organizational and operational models. DOD said it plans to 
address these controls in upcoming revisions to its information 
security guidance. 

NIST and CNSS officials acknowledged that differences still exist in 
the harmonized guidance, and stated that the harmonization process 
will take time, and not all differences will be resolved during the 
initial harmonization effort. They stated that they have chosen to 
focus on issues on which they can readily achieve consensus and, if 
appropriate, plan to resolve remaining issues in a future revision. 

Additional Supporting Guidance Is Being Developed for National 
Security Systems, but Detailed Time Frames for Implementation Have Not 
Been Established: 

While much of the harmonized guidance is already in use for non- 
national security systems, significant work remains to implement the 
new guidance on national security systems. For non-national security 
systems, OMB requires that NIST guidance be implemented within 1 year 
of its publication. The civilian community has been using previous 
versions of SP 800-53 since February 2005; thus many of the controls 
have already been available for use for non-national security systems. 

However, while plans for implementing the harmonized information 
system guidance within DOD and the intelligence community have begun, 
full implementation may take years to complete. 

Department of Defense Faces Challenges in Implementing Harmonized 
Guidance: 

While DOD officials have stated that the concepts and content in the 
harmonized security guidance are similar to those in existing DOD 
directives and instructions, the implementation process will require 
substantial time and effort. Officials said that transitioning to the 
new security controls will require in-depth planning and additional 
resources, implementation will be incremental, and it will take a 
number of years to complete. For example, systems that are currently 
in development may be transitioned to the harmonized guidance, while 
systems that are already deployed may be transitioned only if the 
system undergoes a major change before its next scheduled security 
evaluation or review. 

In order for DOD to transition to the new harmonized guidance, it 
plans to first revise its existing 8500 series of guidance. This 
process includes upcoming revisions to the information security policy 
documented in its directive 8500.01 and instruction 8500.2, the 
certification and accreditation process contained in DOD 8510.01, as 
well as various additional instructions and guidance. The first major 
step is to release the revised DOD 8500.01 and 8500.2, based on the 
harmonized joint task force guidance. As seen in table 2, the 
estimated release date for these revisions is December 2010. After 
this occurs, DOD plans to develop additional implementation and 
assessment guidance, technical instructions, and other information. 
The release dates for these additional items have not yet been 
established because their development or revision is dependent on the 
final publication of revisions to the 8500 series guidance. 

Table 2: Estimated Dates for Revised DOD Guidance and Associated 
Publications: 

DOD publication: DODD 8500.01; 
Estimated publication: December 2010; 
Dependent on: CNSSI-1253; 
Estimated publication: Published. 

DOD publication: DODI 8500.2; 
Estimated publication: December 2010; 
Dependent on: NIST SP 800-53; 
Estimated publication: Published; 
Dependent on: CNSSI 1253; 
Estimated publication: Published.  

DOD publication: DODI 8510.01; 
Estimated publication: Early 2011; 
Dependent on: NIST SP 800-37; 
Estimated publication: Published; 
Dependent on: CNSSP 6; 
Estimated publication: December 2010. 

DOD publication: Other DOD implementation and assessment guides; 
Estimated publication: To be determined; 
Dependent on: NIST SP 800-53A; 
Estimated publication: Published. 

Source: GAO analysis of DOD and NIST data.  

[End of table]  

Once DOD issues guidance for implementing the joint task force's 
harmonized guidance, officials said that it will take several more 
years to incorporate the security controls into the systems' security 
plans. Specifically, the security plans for legacy systems will not be 
updated until those systems are due for recertification and 
reaccreditation, which could take place up to 3 years after updated 
DOD guidance has been released. Furthermore, DOD has not yet 
established milestones and performance measures for implementing the 
new guidance pending its issuance. Until the department develops, 
issues, and implements its revised policy, including guidance on 
implementation time frames, potential benefits from implementing the 
harmonized guidance, such as reduced duplication of effort, will not 
be realized. 

Intelligence Community Faces Challenges in Implementing Harmonized 
Guidance: 

While the intelligence community has taken steps to transition to the 
harmonized guidance, it faces challenges in doing so, such as 
developing detailed transition plans with milestones and resources for 
implementation. 

The intelligence community has established broad transition guidance 
in the form of directives and standards that direct the use of CNSS 
policy and guidance, which in turn point to the harmonized NIST 
guidance.[Footnote 28] The community has also developed a high-level 
transition plan, based on planned publication dates of harmonized 
guidance. In addition, guidance issued in May 2010 also states that 
each organization within the intelligence community shall establish 
its own internal transition plan and timeline based on organization- 
specific factors. 

However, officials stated that the effort required to implement the 
new controls is significant in terms of the number of systems and 
their criticality and that implementation must be carried out in a 
careful, measured way. Furthermore, SP 800-53A, the publication used 
to assess the controls in SP 800-53, was not published until June 
2010. According to CNSS and intelligence community officials, SP 800-
53A needed to be issued before these agencies could complete their 
implementation instructions for SP 800-53 controls. Therefore, CNSS 
has not established policies with specific time frames for 
implementation of these controls. 

The manager of CNSS said that the transition will be incremental, and 
will vary based on the complexity of the systems involved. For 
example, difficult-to-service embedded systems that have already been 
authorized, such as satellite systems, may use the current set of 
controls until the systems are removed from operation. 

An ODNI review of intelligence community implementation plans 
identified several potential challenges with implementing harmonized 
guidance. According to ODNI's overall transition plan issued in 
November 2009, a review of intelligence agency transition plans raised 
concerns, including the following: 

* Most agencies want policies and standards to be in place before 
implementing the transition. 

* The transition is likely to take 3 to 5 years after implementation 
guidance is provided. 

* A phased approach is desirable and needed, but performance measures 
and milestones have not been defined. 

* Resources, and the appropriate expertise, will need to be planned 
and available to implement the harmonized guidance. 

The NSA official responsible for approving the operation of 
information systems confirmed these concerns. For example, she stated 
that a phased implementation approach is necessary because the agency 
would not be able to reaccredit and recertify all of its systems at 
once. Additionally, she stated that it is difficult to establish 
milestones and performance measures because the security of a system 
cannot easily be quantified. However, federal guidance and our prior 
work have emphasized the importance of tools such as a schedule and 
means to track progress to the success of IT efforts. Until supporting 
implementation plans with milestones, performance measures, and 
identified resources are developed and approved to implement the 
harmonized guidance, the benefits realized by the intelligence 
community from the harmonization effort will likely be constrained. 

Key Practices May Enhance Long-Term Project Success: 

In prior work, we identified key practices that can help federal 
agencies to enhance and sustain collaboration efforts, such as the 
joint task force effort to harmonize information security guidance. 
[Footnote 29] The practices include the following: 

* Defining and articulating a common outcome. The compelling rationale 
for agencies to collaborate can be imposed externally through 
legislation or other directives or can come from the agencies' own 
perceptions of the benefits they can obtain from working together. 

* Establishing mutually reinforcing or joint strategies to achieve the 
outcome. Agency strategies that work in concert with those of their 
partners help in aligning the partner agencies' activities, core 
processes, and resources to accomplish the common outcome. 

* Identifying and addressing needs by leveraging resources. 
Collaborating agencies bring different levels of resources and 
capacities to the effort. By assessing their relative strengths and 
limitations, collaborating agencies can look for opportunities to 
address resource needs by leveraging each other's resources, thus 
obtaining additional benefits that would not be available if they were 
working separately. 

* Agreeing upon agency roles and responsibilities. Collaborating 
agencies should work together to define and agree on their respective 
roles and responsibilities, including how the collaborative effort 
will be led. In doing so, agencies can clarify who will do what, 
organize their joint and individual efforts, and facilitate decision 
making. 

* Establishing compatible policies, procedures, and other means to 
operate across agency boundaries. To facilitate collaboration, 
agencies need to address the compatibility of artifacts such as 
standards and policies that will be used in the collaborative effort. 

* Developing mechanisms to monitor, evaluate, and report the results 
of collaborative efforts. Federal agencies engaged in collaborative 
efforts need to create the means to monitor and evaluate their efforts 
to enable them to identify areas for improvement. Reporting on these 
activities can help key decision makers within the agencies, as well 
as clients and stakeholders, to obtain feedback for improving both 
policy and operational effectiveness. 

* Reinforcing agency accountability for collaborative efforts through 
agency plans and reports. Federal agencies can use their strategic and 
annual performance plans as tools to drive collaboration with other 
agencies and partners and establish complementary goals and strategies 
for achieving results. Such plans can also reinforce accountability 
for the collaboration by aligning agency goals and strategies with 
those of the collaborative efforts. 

Joint task force efforts in each of these key practice areas are 
described in table 3. 

Table 3: Joint Task Force Efforts in Key Practice Areas: 

Key practice: Defining and articulating a common outcome; 
Task force activity: The joint task force has developed a schedule 
that identifies the publications and time frames agreed to as an 
outcome of its work. Additionally, according to agency officials, NIST 
and CNSS have recognized the potential benefits of harmonized guidance 
and have collaborated through regular meetings to discuss joint work 
goals to support the common outcome of harmonized guidance. Task force 
members acknowledge that there are many areas of IT security guidance 
where it may be possible to collaborate, but they have not yet 
documented plans for future efforts. The CNSS manager stated that the 
committee intends to update its existing plan of action and milestones 
in fall 2010, but this has not yet been completed.  

Key practice: Establishing mutually reinforcing or joint strategies to 
achieve the outcome; 
Task force activity: NIST is an active participant in the annual CNSS 
Conference, in which discussions take place on the strategic direction 
for the development of policies, directives, and instructions for 
national security systems. One product of this conference is the plan 
of actions and milestones, which CNSS uses as a strategy to guide its 
activities. For example, the 2009 plan contained commitments to 
further participate in harmonization activities and to develop more 
CNSS guidance that supported achieving the outcome of use of the 
harmonized guidance.  

Key practice: Identifying and addressing needs by leveraging resources; 
Task force activity: Members of the joint task force, including NIST, 
CNSS, and NSA, work together to leverage resources and staff the 
groups that work on harmonizing the individual publications. However, 
the task force does not have an overall means of leveraging resources, 
such as a project plan or other document that addresses needs or 
identifies resources necessary to produce its publications.  

Key practice: Agreeing upon agency roles and responsibilities; 
Task force activity: According to task force members, there is an 
agreed-upon structure for the joint task force. NIST is the leader, 
and DOD and ODNI contribute resources as needed. However, there is no 
documentation of these roles and responsibilities in a charter, 
project plan, memorandum of understanding, or other written agreement 
among project participants.  

Key practice: Establishing compatible policies, procedures, and other 
means to operate across agency boundaries; 
Task force activity: CNSS has drafted a program of work and a plan of 
actions and milestones defining the committee's work for the upcoming 
year that includes harmonization of security guidance, which is the 
overall effort to establish compatible policies and procedures across 
agency boundaries. CNSS is also developing supporting guidance, such 
as CNSSI-1253, that directs agencies to implement the NIST 
publications. Furthermore, ODNI has updated its policies in support of 
the harmonization effort. Intelligence Community Directive 503, which 
is issued by ODNI, directs the use of CNSSI-1253, which, as stated 
above, has been harmonized with NIST guidance. The revision of 
existing DOD information security guidance to incorporate the 
harmonized guidance is still in progress.  

Key practice: Developing mechanisms to monitor, evaluate, and report 
the results of collaborative efforts; 
Task force activity: NIST publishes a schedule containing time frames 
for developing the task force publications that can be used to monitor 
the status of collaborative efforts, although two publications 
originally planned for release in August 2010 have been delayed until 
early 2011. CNSS is developing guidance, including a mechanism to 
monitor implementation of its instructions. The Federal CIO Council 
has also reported on harmonization efforts in its strategic plan. 
However, performance measures or mechanisms to routinely monitor, 
evaluate, and report on either publication development or 
implementation status have not been established.  

Key practice: Reinforcing agency accountability for collaborative 
efforts through agency plans and reports; 
Task force activity: NIST reported on plans for and progress of 
efforts to harmonize IT security guidance in its Computer Security 
Division 2009 annual report. CNSS also reported on plans for and 
progress of harmonization in its April 2009 annual report. However, 
while CNSS policies direct it to report on the progress of 
implementation of its issuances, including the harmonized guidance, 
according to the CNSS manager, this report has not been produced.  

Source: GAO analysis of joint task force member data.  

[End of table]  

To date, the task force has been successful in its efforts while 
having few documented or formalized processes. Task force officials 
stated that they believe this structure has been very effective for 
harmonizing information security guidance and that the success of the 
effort can be measured by the results achieved to date. These include 
the publication of three documents, planned publication of two more, 
and proposed future development of two additional ones. They also 
stated that the distinction between national security systems and non- 
national security systems has existed for many years, and this was the 
first successful effort to harmonize guidance. Officials said that key 
to the project's success has been strong management and technical 
leadership. Participants also stated that they felt the effort's 
informality, flexibility, and agility were strengths. 

Participants acknowledged that fuller implementation of key practices, 
such as documenting identification of needs and leveraging of 
resources to address those needs, agreed-to roles and 
responsibilities, and monitoring and reporting on the results of its 
efforts, were missing; however, the officials stated that the task 
force has been a significant success and that more formal management 
practices could have been counterproductive and ineffective. For 
example, the task force leader stated that establishing these 
practices before the task force had demonstrated results would have 
been difficult. He stated that now that task force members have 
established positive relationships and become dependent on each other 
for technical knowledge, establishing more formal management practices 
may be easier. 

While the task force's approach to managing the harmonization effort 
may not have hindered development to date, plans for future 
publications have slipped, in part because of the challenges of 
coordinating such a cross-agency effort. As the task force continues 
its efforts and approaches additional areas, fuller implementation of 
key practices, such as those that assign responsibilities and measure 
progress, would likely enhance its ability to sustain harmonization 
efforts as personnel change and resources are allocated among other 
agency activities. 

Conclusions: 

Efforts to harmonize policies and guidance for national security 
systems and non-national security systems have made progress in 
producing elements of a unified information security framework. The 
guidance published and scheduled for publication by the joint task 
force constitutes a key part of the foundation of the unified 
framework. The task force has proposed two additional publications for 
consideration and acknowledged the possibility of future areas for 
collaboration, but plans for additional activities have yet to be 
finalized. The harmonization effort has the potential to reduce 
duplication of effort and allow more effective implementation of 
information security controls across interconnected systems. 

To fully realize the benefits of the harmonized guidance, additional 
work remains to implement it. For example, supporting guidance and 
dates for implementation and performance measures have not been 
established for DOD and the intelligence community. Although, to date, 
the lack of documented management practices and processes has not 
significantly hindered the task force, as more difficult areas for 
harmonization are addressed, personnel change, and other agency 
priorities make demands upon resources, implementation of key 
practices for collaboration may help the task force further its 
progress. 

Recommendations for Executive Action: 

To assist the joint task force in continuing its efforts to establish 
harmonized guidance and policies for national security systems and non-
national security systems, we are making the following five 
recommendations. We recommend that the Secretary of Commerce direct 
the Director of NIST to collaborate with CNSS to: 

* complete plans to identify future areas for harmonization efforts, 
and: 

* consider how implementing elements of key collaborative practices, 
such as documenting roles and responsibilities, needs, resources, and 
monitoring and reporting mechanisms, may serve to sustain and enhance 
the harmonization effort. 

We also recommend that the Secretary of Defense direct CNSS to: 

* collaborate with NIST to complete plans to identify future areas for 
harmonization efforts; 

* collaborate with its member organizations, including both DOD and 
the intelligence community, to include milestones and performance 
measures in their plans to implement the harmonized CNSS policies and 
guidance; and: 

* collaborate with NIST to consider how implementing elements of key 
collaborative practices, such as documenting roles and 
responsibilities, needs, resources, and monitoring and reporting 
mechanisms, may serve to sustain and enhance the harmonization effort. 

Agency Comments and Our Evaluation: 

In written comments on a draft of this report, the Secretary of 
Commerce concurred with our conclusions that the Departments of 
Commerce and Defense update plans for future collaboration, establish 
timelines for implementing revised guidance, and fully implement key 
practices for interagency collaboration in the harmonization effort. 
In a separate e-mail message, the NIST audit liaison clarified that 
Commerce also concurred with each recommendation. The department also 
provided technical comments, which we incorporated in the draft as 
appropriate. Comments from the Department of Commerce are reprinted in 
appendix II. 

In oral comments on a draft of this report, the Senior Policy Advisor 
for DOD's Information Assurance and Strategy Directorate, within the 
Office of the Assistant Secretary of Defense (Networks and Information 
Integration)/DOD CIO, stated that DOD concurred with our 
recommendations. In addition, the CNSS manager stated in an e-mail 
message that the report is complete and that CNSS concurred without 
comment. 

We also provided a draft of this report to OMB and ODNI, to which we 
did not make recommendations, and they both stated that they had no 
comments. 

We are sending copies of this report to interested congressional 
committees, the Secretary of Commerce, and the Secretary of Defense. 
In addition, this report will be available at no charge on the GAO Web 
site at [hyperlink, http://www.gao.gov]. 

If you or your staff have any questions about this report, please 
contact me at (202) 512-6244 or at wilshuseng@gao.gov. Contact points 
for our Offices of Congressional Relations and Public Affairs may be 
found on the last page of this report. Key contributors to this report 
are listed in appendix III. 

Sincerely,  

Signed by:  

Gregory C. Wilshusen: 
Director, Information Security Issues: 

[End of section] 

Appendix I: Objective, Scope, and Methodology: 

The objective of our review was to assess the progress of federal 
efforts to harmonize policies and guidance for national security 
systems and non-national security systems. 

To do this, we focused on the Joint Task Force Transformation 
Initiative Interagency Working Group and supporting agencies within 
the civil, defense, and intelligence communities.[Footnote 30] 
Specifically, we identified actions taken and planned by the Joint 
Task Force Transformation Initiative Interagency Working Group to 
harmonize information security guidance. To do this, we reviewed 
program plans, schedules, and performance measures related to the 
harmonization efforts. We also obtained and reviewed current 
information technology security policies, guidance, and other 
documentation for national security systems and non-national security 
systems and then conducted interviews with officials from the National 
Institute of Standards and Technology (NIST), Committee on National 
Security Systems (CNSS), Department of Defense (DOD), Office of the 
Director of National Intelligence (ODNI), National Security Agency 
(NSA), and Office of Management and Budget (OMB) to identify 
differences in existing guidance and plans to resolve these 
differences. 

We also assessed efforts against criteria including prior GAO work on 
key practices to sustain and enhance cross-agency collaboration. We 
performed this assessment by reviewing documents and interviewing 
agency officials from NIST, CNSS, DOD, ODNI, NSA, and OMB. We 
identified evidence of key practices, such as documented roles and 
responsibilities, and mechanisms to monitor, evaluate, and report on 
progress, and verified our assessment with agency officials. 

We conducted this performance audit from February 2010 through 
September 2010 in accordance with generally accepted government 
auditing standards. Those standards require that we plan and perform 
the audit to obtain sufficient, appropriate evidence to provide a 
reasonable basis for our findings and conclusions based on our audit 
objective. We believe that the evidence obtained provides a reasonable 
basis for our findings and conclusions based on our audit objective. 

[End of section] 

Appendix II: Comments from the Department of Commerce: 

United States Department Of Commerce: 
The Secretary of Commerce: 
Washington, D.C. 20230:  

August 27, 2010:  

Mr. Gregory C. Wilshusen: 
Director, Information Security Issues: 
U.S. Government Accountability Office: 
Washington, DC 20548:  

Dear Mr. Wilshusen:  

Thank you for the opportunity to comment on the draft report from the 
U.S. Government Accountability Office (GAO) entitled "Information 
Security: Progress Made on Harmonizing Policies for National Security 
and Non-National Security Systems" (GA0-10-916).  

We concur with the report's conclusions that the Department of 
Commerce and the Department of Defense (DoD) update plans for future 
collaboration, establish timelines for implementing revised guidance, 
and implement fully key practices for interagency collaboration in the 
harmonization effort. We also feel that the draft report does an 
outstanding job at highlighting the National Institute of Standards 
and Technology's (NIST) leadership in this effort. The Department of 
Commerce would like to offer the comments in the attached document 
regarding the GAO's conclusions.  

We are looking forward to receiving your final report and continuing 
discussions with GAO regarding its conclusions. Please contact Rachel 
Kinney at (301) 957-8707 should you have any questions regarding this 
response.  

Sincerely:  

Signed by:  

Gary Locke:  

[End of section] 

Appendix III: GAO Contact and Staff Acknowledgments: 

GAO Contact: 

Gregory C. Wilshusen, (202) 512-6244 or wilshuseng@gao.gov: 

Staff Acknowledgments: 

In addition to the contact name above, individuals making 
contributions to this report included Vijay D'Souza (assistant 
director), Neil Doherty, Thomas J. Johnson, Lee McCracken, David 
Plocher, Harold Podell, and John A. Spence. 

[End of section]  

Footnotes:  

[1] As defined in FISMA, the term "national security system" means any 
information system used by or on behalf of a federal agency that (1) 
involves intelligence activities, national security-related 
cryptologic activities, command and control of military forces, or 
equipment that is an integral part of a weapon or weapons system, or 
is critical to the direct fulfillment of military or intelligence 
missions (excluding systems used for routine administrative and 
business applications) or (2) is protected at all times by procedures 
established for handling classified national security information. See 
44 U.S.C. § 3542(b)(2). For the purposes of this report, systems that 
do not meet the criteria for national security systems are referred to 
as non-national security systems. 

[2] The differing treatment of national security and non-national 
security systems reflects a long-standing division in laws that limit 
civilian management oversight of military and intelligence information 
systems by excluding national security systems from the "information 
technology" overseen by the civilian agencies. OMB authority over such 
systems is limited in FISMA (44 U.S.C. § 3543(b)), in the Paperwork 
Reduction Act (44 U.S.C. § 3502(9)), and in the Clinger-Cohen Act (40 
U.S.C. § 11103). NIST authority is limited by 15 U.S.C. § 278g-
3(a)(2), as amended by FISMA, but also under the prior language of the 
Computer Security Act of 1987 (Pub. L. 100-235, Jan. 8, 1988). These 
limitations are variations of a provision, known as the "Warner 
Amendment," added to the DOD Authorization Act of 1982, which exempted 
DOD procurement of national security systems from General Services 
Administration oversight under the Brooks Act (then-40 U.S.C. § 759). 
Pub. L. 97-86, title IX, § 908(a)(1), Dec. 1, 1981; 10 U.S.C. § 2315. 

[3] In addition to placing limitations on OMB's authority over 
national security systems, FISMA permits further independence from OMB 
oversight for Department of Defense and Central Intelligence Agency 
systems where loss of security would have a debilitating impact on the 
mission of either agency, 44 U.S.C. 3543(c). More generally, FISMA 
also states that it does not affect authorities otherwise granted an 
agency with regard to national security systems (as well as 
requirements under the Atomic Energy Act of 1954), Sec. 301(c), Pub. 
L. 107-347 (116 Stat. 2955); 44 U.S.C. 3501 note. 

[4] National Security Directive 42, National Policy for the Security 
of National Security Telecommunications and Information Systems, July 
5, 1990. 

[5] NIST, Guide for Applying the Risk Management Framework to Federal 
Information Systems, SP 800-37, revision 1 (Gaithersburg, Md.: 
February 2010).  

[6] NIST, Guide for Applying the Risk Management Framework to Federal 
Information Systems, SP 800-37, revision 1, was formerly NIST, Guide 
for the Certification and Accreditation of Federal Information 
Systems, SP 800-37. The risk management framework replaces the process 
known as certification and accreditation described in the previous 
version of SP 800-37. 

[7] NIST, Standards for Security Categorization of Federal Information 
and Information Systems, FIPS Publication 199 (Gaithersburg, Md.: 
February 2004). 

[8] NIST, Guide for Mapping Types of Information and Information 
Systems to Security Categories, SP 800-60, revision 1 (Gaithersburg, 
Md.: August 2008). 

[9] NIST, Minimum Security Requirements for Federal Information and 
Information Systems, FIPS Publication 200 (Gaithersburg, Md.: March 
2006). 

[10] NIST, Recommended Security Controls for Federal Information 
Systems and Organizations, SP 800-53, revision 3 (Gaithersburg, Md.: 
August 2009). 

[11] NIST, National Checklist Program for IT Products--Guidelines for 
Checklist Users and Developers, SP 800-70, revision 1 (Gaithersburg, 
Md.: September 2009). 

[12] NIST maintains the National Checklist Repository, which is a 
publicly available resource that contains a variety of security 
configuration checklists for specific IT products or categories of IT 
products. 

[13] NIST, Guide for Assessing the Security Controls in Federal 
Information Systems, SP 800-53A (Gaithersburg, Md.: June 2010). 

[14] National Security Directive 42, National Policy for the Security 
of National Security Telecommunications and Information Systems, July 
5, 1990. 

[15] The departments and agencies with voting representatives are the 
Departments of Commerce, Defense, Energy, Homeland Security, Justice, 
State, Transportation, and the Treasury; the Central Intelligence 
Agency; the Defense Intelligence Agency; the Federal Bureau of 
Investigation; the General Services Administration; the National 
Security Agency; the National Security Council; the Office of the 
Director of National Intelligence; the Office of Management and 
Budget; the Joint Chiefs of Staff; the Air Force; the Army; the Marine 
Corps; and the Navy.  

[16] CNSS Policy 22, Information Assurance Risk Management Policy for 
National Security Systems, February 2009. 

[17] CNSS Policy 6, National Policy on Certification and Accreditation 
of National Security Telecommunications and Information Systems, 
October 2005. 

[18] National Security Directive 42, National Policy for the Security 
of National Security Telecommunications and Information Systems, July 
5, 1990. 

[19] CNSS Instruction 4009 (CNSSI 4009), National Information 
Assurance Glossary, June 2006. 

[20] The organizations are the Central Intelligence Agency, Defense 
Intelligence Agency, Department of Energy (Office of Intelligence and 
Counterintelligence), Department of Homeland Security (Office of 
Intelligence and Analysis), Department of State (Bureau of 
Intelligence and Research), Department of the Treasury (Office of 
Intelligence and Analysis), Drug Enforcement Administration (Office of 
National Security Intelligence), Federal Bureau of Investigation 
(National Security Branch), National Geospatial-Intelligence Agency, 
National Reconnaissance Office, National Security Agency/Central 
Security Service, United States Air Force, United States Army, United 
States Coast Guard, United States Marine Corps, United States Navy, 
and Office of the Director of National Intelligence.  

[21] Director of Central Intelligence Directive 6/3, Protecting 
Sensitive Compartmented Information within Information Systems-- 
Policy, June 5, 1999. 

[22] The Federal CIO Council is an interagency forum for improving 
agency IT practices. The council, chaired by OMB, coordinates with 
NIST and CNSS on the development of harmonized information system 
guidance. 

[23] Federal Information Management Strategic Plan, Federal Chief 
Information Officers Council Framework (Fiscal Years 2010-2013), 
January 26, 2010. 

[24] The assessment and authorization process replaces the process 
known as certification and accreditation described in the previous 
version of SP 800-37. 

[25] CNSS Instruction 4009, National Information Assurance (IA) 
Glossary, April 26, 2010. 

[26] CNSS Policy 6, National Policy on Certification and Accreditation 
of National Security Systems, October 2005. 

[27] A security control baseline is the set of minimum security 
controls defined for a low-impact, moderate-impact, or high-impact 
information system. 

[28] These include Intelligence Community Directive 503, dated 
September 2008, which establishes intelligence community policy for IT 
systems security risk management and certification and accreditation, 
and Standard 503-2, which directs the intelligence community to use 
CNSSI-1253 as the authoritative source for categorizing and selecting 
security controls. 

[29] GAO, Results-Oriented Government: Practices That Can Help Enhance 
and Sustain Collaboration among Federal Agencies, [hyperlink, 
http://www.gao.gov/products/GAO-06-15] (Washington D.C.: Oct. 21, 
2005). 

[30] The agencies include the National Institute of Standards and 
Technology, Committee on National Security Systems, U.S. Department of 
Defense, Office of the Director of National Intelligence, National 
Security Agency, and Office of Management and Budget. 

[End of section]  

GAO's Mission:  

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability.  

Obtaining Copies of GAO Reports and Testimony:  

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each 
weekday, GAO posts newly released reports, testimony, and 
correspondence on its Web site. To have GAO e-mail you a list of newly 
posted products every afternoon, go to [hyperlink, http://www.gao.gov] 
and select "E-mail Updates."  

Order by Phone:  

The price of each GAO publication reflects GAO’s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO’s Web site, 
[hyperlink, http://www.gao.gov/ordering.htm].  

Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537.  

Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional 
information.  

To Report Fraud, Waste, and Abuse in Federal Programs:  

Contact:  

Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: 
E-mail: fraudnet@gao.gov: 
Automated answering system: (800) 424-5454 or (202) 512-7470:  

Congressional Relations:  

Ralph Dawn, Managing Director, dawnr@gao.gov: 
(202) 512-4400: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7125: 
Washington, D.C. 20548:  

Public Affairs:  

Chuck Young, Managing Director, youngc1@gao.gov: 
(202) 512-4800: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7149: 
Washington, D.C. 20548: