This is the accessible text file for GAO report number GAO-10-916 entitled 'Information Security: Progress Made on Harmonizing Policies and Guidance for National Security and Non-National Security Systems' which was released on September 15, 2010. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to the Chairwoman, Subcommittee on Government Management, Organization, and Procurement, Committee on Oversight and Government Reform, House of Representatives: United States Government Accountability Office: GAO: September 2010: Information Security: Progress Made on Harmonizing Policies and Guidance for National Security and Non-National Security Systems: GAO-10-916: GAO Highlights: Highlights of GAO-10-916, a report to the Chairwoman, Subcommittee on Government Management, Organization, and Procurement, Committee on Oversight and Government Reform, House of Representatives. Why GAO Did This Study: Historically, civilian and national security-related information technology (IT) systems have been governed by different information security policies and guidance. Specifically, the Office of Management and Budget and the Department of Commerce’s National Institute of Standards and Technology (NIST) established policies and guidance for civilian non-national security systems, while other organizations, including the Committee on National Security Systems (CNSS), the Department of Defense (DOD), and the U.S. intelligence community, have developed policies and guidance for national security systems. GAO was asked to assess the progress of federal efforts to harmonize policies and guidance for these two types of systems. To do this, GAO reviewed program plans and schedules, analyzed policies and guidance, assessed program efforts against key practices for cross-agency collaboration, and interviewed officials responsible for this effort. What GAO Found: Federal agencies have made progress in harmonizing information security policies and guidance for national security and non-national security systems. Representatives from civilian, defense, and intelligence agencies established a joint task force in 2009, led by NIST and including senior leadership and subject matter experts from participating agencies, to publish common guidance for information systems security for national security and non-national security systems. The harmonized guidance is to consist of NIST guidance applicable to non-national security systems and authorized by CNSS, with possible modifications, for application to national security systems. This harmonized security guidance is expected to result in less duplication of effort and more effective implementation of controls across multiple interconnected systems. The task force has developed three initial publications. These publications, among other things, provide guidance for applying a risk management framework to federal systems, identify an updated catalog of security controls and guidelines, and update the existing security assessment guidelines for federal systems. CNSS has issued an instruction to begin implementing the newly developed guidance for national security systems. Two additional joint publications are scheduled for release by early 2011, with other publications under consideration. Differences remain between guidance for national security and non-national security systems in such areas as system categorization, selection of security controls, and program management controls. NIST and CNSS officials stated that these differences may be addressed in the future but that some may remain because of the special nature of national security systems. While progress has been made in developing the harmonized guidance, additional work remains to implement it and ensure continued progress. For example, task force members have stated their intent to develop plans for future harmonization activities, but these plans have not yet been finalized. In addition, while much of the harmonized guidance incorporates controls and language previously developed for use for non-national security systems, significant work remains to implement the guidance for national security systems. DOD and the intelligence community are developing agency-specific guidance and transition plans for implementing the harmonized guidance, but, according to officials, actual implementation could take several years to complete. Officials stated that this is primarily due to both the large number and criticality of the systems that must be reauthorized under the new guidance. Further, the agencies have yet to fully establish implementation milestones and lack performance metrics for measuring progress. Finally, the harmonization effort has been managed without full implementation of key collaborative practices, such as documenting identified needs and leveraging resources to address those needs, agreed-to agency roles and responsibilities, and processes to monitor and report results. Task force members stress that their informal, flexible approach has resulted in significant success. Nevertheless, further implementation of key collaborative practices identified by GAO could facilitate further progress. What GAO Recommends: GAO is recommending that the Secretary of Commerce and the Secretary of Defense, among other things, update plans for future collaboration, establish timelines for implementing revised guidance, and fully implement key practices for interagency collaboration in the harmonization effort. In comments on a draft of this report, Commerce and DOD concurred with GAO’s recommendations. View [hyperlink, http://www.gao.gov/products/GAO-10-916] or key components. For more information, contact Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov. [End of section] Contents: Letter: Background: Progress Is Being Made to Harmonize IT Security Guidance: Conclusions: Recommendations for Executive Action: Agency Comments and Our Evaluation: Appendix I: Objective, Scope, and Methodology: Appendix II: Comments from the Department of Commerce: Appendix III: GAO Contact and Staff Acknowledgments: Tables: Table 1: Joint Task Force Completed and Planned Publications: Table 2: Estimated Dates for Revised DOD Guidance and Associated Publications: Table 3: Joint Task Force Efforts in Key Practice Areas: Figures: Figure 1: NIST Risk Management Framework: Figure 2: Unified Information Security Framework: Abbreviations: CIO: Chief Information Officer: CNSS: Committee on National Security Systems: CNSSI-1253: Committee on National Security Systems Instruction 1253: DCID: Director Central Intelligence Directive: DIACAP: DOD Information Assurance Certification and Accreditation Process: DOD: Department of Defense: DODI: Department of Defense Instruction: FIPS: Federal Information Processing Standard: FISMA: Federal Information Security Management Act: NIST: National Institute of Standards and Technology: NSA: National Security Agency: ODNI: Office of the Director of National Intelligence: OMB: Office of Management and Budget: [End of section] United States Government Accountability Office: Washington, DC 20548: September 15, 2010: The Honorable Diane Watson: Chairwoman: Subcommittee on Government Management, Organization, and Procurement: Committee on Oversight and Government Reform: House of Representatives: Dear Chairwoman Watson: Historically, civilian and national security-related information technology (IT) systems have been governed by different information security policies and guidance. However, over time, factors such as the increasing interconnectedness of computer systems have led to these systems facing similar threats. Development of a unified information security framework that harmonizes security standards and guidance for national security systems and non-national security systems has been highlighted as having the potential to improve information security and avoid unnecessary and costly duplication of effort. As agreed with your office, our objective was to assess the progress of federal efforts to harmonize policies and guidance for national security systems and non- national security systems. To identify efforts to harmonize policies and guidance for national security systems and non-national security systems, we identified completed and planned efforts by the Department of Commerce's National Institute of Standards and Technology (NIST), Department of Defense (DOD), Committee on National Security Systems (CNSS), and the Office of the Director of National Intelligence (ODNI) to issue joint information security policies and guidance. We then reviewed related publications, guidance, plans, and other documents from these organizations to identify differences in existing guidance and plans to resolve those differences and conducted interviews with officials to discuss these differences, the status of harmonization efforts, and the implications for the security of information systems. We also evaluated completed and planned activities against criteria including prior GAO work on key practices to enhance and sustain cross-agency collaboration. Appendix I contains additional details on the objective, scope, and methodology of our review. We conducted this performance audit from February 2010 to September 2010 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objective. Background: The Federal Information Security Management Act (FISMA) specifies requirements for protecting federal systems and data. Enacted into law on December 17, 2002, as title III of the E-Government Act of 2002, FISMA requires every federal agency, including agencies with national security systems,[Footnote 1] to develop, document, and implement an agencywide information security program to secure the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. Specifically, this program is to include: * periodic assessments of the risk and magnitude of harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information or information systems; * risk-based policies and procedures that cost-effectively reduce information security risks to an acceptable level and ensure that information security is addressed throughout the life cycle of each information system; * periodic testing and evaluation of the effectiveness of information security policies, procedures, and practices that include testing of management, operational, and technical controls for every system identified in the agency's required inventory of major information systems; * subordinate plans for providing adequate information security for networks, facilities, and systems or groups of information systems; * security awareness training for agency personnel, including contractors and other users of information systems that support the operations and assets of the agency; * a process for planning, implementing, evaluating, and documenting remedial action to address any deficiencies in the information security policies, procedures, and practices of the agency; * procedures for detecting, reporting, and responding to security incidents; and: * plans and procedures to ensure continuity of operations for * information systems that support the operations and assets of the agency. FISMA also assigns specific information security responsibilities to the Office of Management and Budget (OMB), NIST, agency heads, and agency chief information officers (CIO). Generally, OMB is responsible for developing policies and guidance and overseeing agency compliance with FISMA, NIST is responsible for developing technical standards, and agency heads and CIOs are responsible for ensuring that each agency implements the information security program and other requirements of FISMA. These responsibilities do not, however, apply equally to all agency information systems. FISMA differs in its treatment of national security and non-national security systems. While FISMA requires each federal agency to manage its information security risks through its agencywide information security program, the law recognizes a long- standing division between requirements for national security and non- national security systems that limits civilian management and oversight of information systems supporting military and intelligence activities.[Footnote 2] FISMA recognizes the division between national security systems and non-national security systems in two ways. First, to ensure compliance with applicable authorities, the law requires agencies using national security systems to implement information security policies and practices as required by standards and guidelines for national security systems in addition to the requirements of FISMA. Second, the responsibilities assigned by FISMA to OMB and NIST are curtailed. OMB's responsibilities are reduced with regard to national security systems to oversight and reporting to Congress on agency compliance with FISMA. OMB's annual review and approval or disapproval of agency information security programs, for example, does not include national security systems.[Footnote 3] Similarly, according to FISMA, NIST- developed standards, which are mandatory for non-national security systems, do not apply to national security systems. FISMA limits NIST to developing, in conjunction with DOD and the National Security Agency (NSA), guidelines for agencies on identifying an information system as a national security system, and for ensuring that NIST standards and guidelines are complementary with standards and guidelines developed for national security systems. FISMA also requires NIST to consult with other agencies to ensure use of appropriate information security policies, procedures, and techniques in order to improve information security and avoid unnecessary and costly duplication of effort. In light of this division between national security and non-national security systems, NIST is responsible for developing standards and guidance for non-national security information systems. For example, NIST issues mandatory Federal Information Processing Standards (FIPS) and special publications that provide guidance for information systems security for non-national security systems in federal agencies. For national security systems, National Security Directive 42 established CNSS, an organization chaired by the Department of Defense, to, among other things, issue policy directives and instructions that provide mandatory information security requirements for national security systems.[Footnote 4] In addition, the defense and intelligence communities develop implementing instructions and may add additional requirements where needed. FISMA provides a further exception to compliance with NIST standards. It permits an agency to use more stringent information security standards if it certifies that its standards are at least as stringent as the NIST standards and are otherwise consistent with policies and guidelines issued under FISMA. It is on the basis of this authority that the Department of Defense establishes information security standards for all of its systems (national security and non-national security systems) that are more stringent than the standards required for protecting non-national security systems under FISMA. For example, the DOD directive establishing the Department of Defense Information Assurance Certification and Accreditation Process (DIACAP) for authorizing the operation of DOD information systems requires annual certification that the DIACAP process is current and more stringent than NIST standards under FISMA. NIST Guidance Provides Basic Framework for Security of Non-National Security Systems: To help implement the provisions of FISMA for non-national security systems, NIST has developed a risk management framework for agencies to follow in developing information security programs. The framework is specified in NIST Special Publication (SP) 800-37, revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach,[Footnote 5] which provides agencies with guidance for applying the risk management framework to federal information systems.[Footnote 6] The framework in SP 800-37 consists of security categorization, security control selection and implementation, security control assessment, information system authorization, and security control monitoring. It also provides a process that integrates information security and risk management activities into the system development life cycle. Figure 1 provides an illustration of the framework and notes relevant security guidance for each part of the framework. Figure 1: NIST Risk Management Framework: [Refer to PDF for image: illustration] The illustration depicts a circle with six components encircling the core of the Security Life Circle: Starting point: Categorize information system: FIPS 199/SP 800-60; Define criticality/sensitivity of information system according to potential worst-case, adverse impact to mission/business. Select security controls: FIPS 200/SP 800-53; Select baseline security controls; apply tailoring guidance and supplement controls as needed based on risk assessment. Implement security controls: SP 800-70; Implement security controls within enterprise architecture using sound systems engineering practices; apply security configuration settings. Assess security controls: SP 800-53A; Determine security control effectiveness(i.e., controls implemented correctly, operating as intended, meeting security requirements for information system). Authorize information system: SP 800-37; Determine risk to organizational operations and assets, individuals, other organizations, and the Nation; if acceptable, authorize operation. Monitor security state: SP 800-37/SP 800-53A; Continuously track changes to the information system that may affect security controls and reassess control effectiveness. Source: GAO analysis of NIST data. [End of figure] Other key NIST publications related to the risk management framework include the following: * Federal Information Processing Standard (FIPS) 199, Standards for Security Categorization of Federal Information and Information Systems.[Footnote 7] Provides agencies with criteria to identify and categorize their information systems based on providing appropriate levels of information security according to a range of risk levels. * NIST SP 800-60, revision 1, Guide for Mapping Types of Information and Information Systems to Security Categories.[Footnote 8] Provides guidance for implementing FIPS 199. * FIPS 200, Minimum Security Requirements for Federal Information and Information Systems.[Footnote 9] Provides minimum information security requirements for protecting the confidentiality, integrity, and availability of federal information systems. * NIST SP 800-53 revision 3, Recommended Security Controls for Federal Information Systems and Organizations.[Footnote 10] Provides guidelines for selecting and specifying security controls for information systems. * NIST SP 800-70, revision 1, National Checklist Program for IT Products-Guidelines for Checklist Users and Developers.[Footnote 11] Provides guidance for using the National Checklist Repository to select a security configuration checklist, which may include items such as security controls used in FISMA system assessments.[Footnote 12] * NIST SP 800-53A, revision 1, Guide for Assessing the Security Controls in Federal Information Systems.[Footnote 13] Provides agencies with guidance for building security assessment plans and procedures for assessing the effectiveness of security controls employed in information systems. In applying the provisions of FIPS 200, federal civilian agencies with non-national security systems are to first categorize their information and systems as required by FIPS 199, and then should select an appropriate set of security controls from NIST SP 800-53 to satisfy their minimum security requirements. This helps to ensure that appropriate security requirements and security controls are applied to all non-national security systems. Next, controls are implemented and information systems are authorized using NIST SP 800-70. Finally, agencies assess, test, and monitor the effectiveness of the information security controls using the guidance in NIST SP 800-53A. Many other FIPS and NIST special publications provide guidance for the implementation of FISMA requirements for non-national security systems. CNSS Provides the Basic Security Framework for National Security Systems with Defense and Intelligence Agencies Providing Additional Guidance: For national security systems, organizations responsible for developing policies, directives, and guidance include CNSS, DOD, and the intelligence community. The processes and criteria established by this guidance are often similar to those required by NIST guidance for non-national security systems. For example, security guidance for certification and accreditation requires risk assessments, verification of security requirements in a security plan or other document, testing of security controls, and formal authorization by an authorizing official. Roles of these agencies and key security guidance that they have issued are described below. Committee on National Security Systems: CNSS provides a forum for the discussion of policy issues, sets national policy, and provides direction, operational procedures, and guidance for the security of national security systems. The Department of Defense chairs the committee under the authorities established by National Security Directive 42, issued in July 1990.[Footnote 14] This directive designates the Secretary of Defense and the Director of the National Security Agency as the Executive Agent and National Manager for national security systems, respectively. The committee has voting representatives from 21 departments and agencies.[Footnote 15] In addition, nonvoting observers such as NIST participate in meetings, provide comments and suggestions, and participate in subcommittee and working group activities. The committee organizes its activities by developing an annual program of work and plan of action and milestones. NSA provides logistical and administrative support for the committee, including a Secretariat manager who organizes the day-to-day activities of the committee. Since its inception, the committee has issued numerous policies, directives, and instructions that are binding upon all federal departments and agencies for national security systems. Key publications include the Information Assurance Risk Management Policy for National Security Systems,[Footnote 16] National Policy on Certification and Accreditation of National Security Telecommunications and Information Systems,[Footnote 17] National Information Assurance Certification and Accreditation Process, [Footnote 18] and a National Information Assurance Glossary.[Footnote 19] Department of Defense: To defend DOD information systems and computer networks from unauthorized or malicious activity, the department established an Information Assurance Framework in its 8500 series of guidance. This framework allows DOD to ensure the security of its information systems by providing standards and support to its component information assurance programs. DOD uses this framework for all of its IT systems. DOD directive 8500.01 and implementing instruction 8500.2, which documents information security controls, are the primary policy documents that describe this framework. In addition, the Department of Defense Information Assurance Certification and Accreditation Process, published in November 2007, is documented in DOD 8510.01 and the online DIACAP knowledge service. Also, the establishment of an information security program is described in DOD regulation 5200.01-R, dated January 1997. Intelligence Community: The intelligence community is a federation of executive branch agencies and organizations that work separately and together to conduct intelligence activities necessary for the conduct of foreign relations and the protection of the national security of the United States.[Footnote 20] Member organizations include intelligence agencies, military intelligence, and civilian intelligence and analysis offices within federal executive departments. The community is led by the Director of National Intelligence, who oversees and directs the implementation of the National Intelligence Program. Historically, the intelligence community has had separate instructions related to information system security. For example, Director of Central Intelligence Directive (DCID) 6/3, Protecting Sensitive Compartmented Information within Information Systems,[Footnote 21] and its implementation manual provided policy and procedures for the security and protection of systems that create, process, store, and transmit intelligence information, and defined and mandated the use of a risk management process and a certification and accreditation process. Federal Agencies Have Had Disparate Information Security Guidance: Prior to efforts to harmonize information security guidance, federal organizations had developed separate, and sometimes disparate, guidance for information security. For example, the National Security Agency used the National Information Systems Certification and Accreditation Process, the intelligence community used DCID 6/3, and DOD used the Department of Defense Information Technology Security Certification and Accreditation Process, which later became the DIACAP. According to the Federal CIO Council's strategic plan and federal officials in DOD and the intelligence community, these processes had some elements in common;[Footnote 22] however, the variances in guidance were sufficient to cause several unintended and undesirable consequences for the federal community. For example, both DOD and NIST had catalogs of information security controls that covered similar areas but had different formats and structures. As a result, according to the CIO Council, organizations responsible for providing oversight of federal information systems such as members of the CIO Council and CNSS could not easily assess the security of federal information systems. In addition, reciprocity--the mutual agreement among participating enterprises to accept each other's security assessments--was hampered because of the apparent differences in interpreting risk levels. Because agencies were not confident in their understanding of other agencies' certification and accreditation results, they sometimes felt it necessary to recertify and reaccredit information systems, expending resources, including time and money, which may not have been necessary.[Footnote 23] Progress Is Being Made to Harmonize IT Security Guidance: A task force consisting of representatives from civilian, defense, and intelligence agencies has made progress in establishing a unified information security framework for national security and non-national security systems. Specifically, NIST has published three initial documents developed by a task force working group to harmonize information security standards for national security and non-national security systems, and is scheduled to publish two more by early 2011. While much has been accomplished, differences remain between the guidance for the two types of systems, and significant work remains to implement the harmonized guidance on national security systems, such as developing supporting agency-specific guidance and establishing specific time frames and performance measures for implementation. Further, while the task force has implemented elements of key practices for interagency coordination that GAO has identified, much of this implementation is not documented. The lack of fully implemented practices, such as those that assign responsibilities and measure progress, could limit the task force's continued progress as personnel change and resources are allocated among other agency activities. A Joint Task Force Has Been Established to Create a Unified Information Security Framework: According to NIST and CNSS officials, a Joint Task Force Transformation Initiative Interagency Working Group was formed in April 2009 with representatives from NIST, DOD, and ODNI to produce a unified information security framework for the federal government. Instead of having parallel publications for national security systems and non-national security systems for risk management and systems security, the intent, according to members of the joint task force, is to have common publications to the maximum extent possible. According to officials involved in the task force, harmonized security guidance is expected to result in less duplication of effort, lower maintenance costs, and more effective implementation of controls across multiple interconnected systems. In addition, the harmonized guidance should make it simpler and more cost-effective for vendors and contractors to supply security products and services to the federal government. The task force arose out of prior efforts to harmonize security guidance among national security systems. In 2006, the ODNI and DOD CIOs began an initiative to harmonize the two organizations' certification and accreditation guidance and processes for IT systems. For example, in July 2006, DOD and the intelligence community established a Unified Cross Domain Management Office to address duplication and uncoordinated security activities and improve the security posture of the agencies' highest-risk security devices. In January 2007, the DOD and ODNI CIOs published seven certification and accreditation transformation goals that included development of common security controls. According to DOD, by July 2008, DOD and the intelligence community were working on six documents that mirrored similar NIST risk management and information security publications. In August 2008, the CIOs signed an agreement adopting common guidelines to streamline and build reciprocity into the certification and accreditation process. As this effort progressed, the agencies involved determined that it would benefit from closer engagement with NIST and the development of common security guidance. NIST had been informally involved in the harmonization effort for several years, but, according to CNSS, DOD, and ODNI, during the CNSS annual conference in the spring of 2009, the CNSS community decided to more actively engage NIST and agree to use NIST documents as the basis for information security controls and risk management. The committee also agreed to complete policies and instructions to support use of the NIST publications. Following the conference, a memo from the Acting CIO for the intelligence community stated that the intelligence community intended to follow CNSS guidance that pointed to related NIST publications. NIST currently leads the working group and the task force publication development process. Working group members are selected for each publication from participating agencies and support contractors to provide subject matter expertise and administrative support. In addition, the task force is guided by a senior leadership team from NIST, CNSS, DOD, and ODNI that reviews and approves the harmonized publications. As illustrated in figure 2, key areas targeted for the common guidance include risk management, security categorization, security controls, security assessment procedures, and the security authorization process contained in the NIST risk management framework. NIST develops standards and guidance for non-national security systems, including most systems in civilian agencies. CNSS provides policy, directives, and instructions binding upon all U.S. government departments and agencies for national security systems, including systems in the intelligence community and DOD (e.g., classified systems). Since NIST does not have authority over national security systems, CNSS issuances authorize the use of the harmonized NIST guidance developed by the joint task force. As necessary, CNSS also develops additional information security requirements to accommodate the unique nature of national security systems. Finally, individual agencies may create their own specific implementing guidance. Figure 2: Unified Information Security Framework: [Refer PDF for image: illustration] Foundational set of information security standards and guidance: * Risk management (organization, mission, information system); * Security categorization (information criticality/sensitivity); * Security controls (safeguards and countermeasures); * Security assessment procedures; * Security authorization process: NIST Guidance: Modified with: Agency-specific information security guidance; Applied to: Non-national security systems. CNSS guidance: Modified with: Agency-specific information security guidance; Applied to: National security systems. Sources: NIST and CNSS. Note: The foundational set of common information security requirements links to the requirements in the NIST Risk Management Framework. [End of figure] Joint Task Force Has Published Three Initial Harmonized Guidance Publications: The joint task force has published three of five planned publications containing harmonized information security guidance and is actively developing the final two publications. These include a new publication as well as revisions to existing NIST guidance, as summarized in table 1. In addition, the task force is considering collaboration on two additional publications. Table 1: Joint Task Force Completed and Planned Publications: Publication: NIST SP 800-53, revision 3, Recommended Security Controls for Federal Information Systems and Organizations; Issue date: August 2009. Publication: NIST SP 800-37, revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach; Issue date: February 2010. Publication: NIST SP 800-53A, revision 1, Guide for Assessing the Security Controls in Federal Information Systems and Organizations; Issue date: June 2010. Publication: NIST SP 800-39, Enterprise-Wide Risk Management: Organization, Mission, and Information Systems View; Issue date: January 2011 (planned). Publication: NIST SP 800-30, revision 1, Guide for Conducting Risk Assessments; Issue date: February 2011 (planned). Source: NIST. [End of table] As of June 2010, the three publications developed by the joint task force and released by NIST are the following: * NIST SP 800-53, revision 3, Recommended Security Controls for Federal Information Systems and Organizations, was published in August 2009. It contains the catalog of security controls and technical guidelines that federal agencies will use to protect federal information and information systems, and is an integral part of the unified information security framework for the entire federal government. The security controls within revision 3 provide updated security controls developed by the joint task force members that included NIST, CNSS, DOD, and ODNI with specific information from databases of known cyber attacks and threat information. According to the task force leader and the CNSS manager, new controls and enhancements were added as a result of the harmonization effort. For example, control AC-4, related to Information Flow Enforcement, had several enhancements added because of input from the national security systems community. * NIST SP 800-37, revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach, was released in February 2010. This publication replaces the traditional certification and accreditation process with the six-step risk management framework, including a process of assessment and authorization. [Footnote 24] According to the publication, the revised process emphasizes building information security capabilities into federal information systems through the application of security controls while implementing an ongoing monitoring process. It also provides information to senior leaders to facilitate better decisions regarding the acceptance of risk arising from the operation and use of information systems. According to the task force leader and the CNSS manager, the publication contains few direct changes as a result of the harmonization effort. Rather, task force representatives determined that the existing NIST risk management framework contained the same concepts and content as existing national security-related guidance, such as the DIACAP. * NIST SP 800-53A, revision 1, Guide for Assessing the Security Controls in Federal Information Systems and Organizations, was published in June 2010. The updated security assessment guideline is intended to incorporate leading practices in information security from DOD, the intelligence community, and civil agencies and includes security control assessment procedures for both national security and non-national security systems. The guidelines for developing security assessment plans are intended to support a wide variety of assessment activities in all phases of the system development life cycle, including development, implementation, and operation. According to the task force leader and the CNSS manager, while there were few direct changes to the content of SP 800-53A as a result of the harmonization effort, task force members are collaborating on revising the assessment cases, which provide additional instruction on techniques for testing specific controls. According to the leader, this effort is to be completed by the end of 2010. Because CNSS, not NIST, has the authority to issue binding guidance for national security systems, CNSS has issued supplemental guidance for implementing NIST SP 800-53: CNSS Instruction 1253 (CNSSI-1253), Security Categorization and Control Selection for National Security Systems, which was published in October 2009. This instruction states that the Director of National Intelligence and the Secretary of Defense have directed that the processes described in NIST SP 800-53, revision 3 (as amended by the instruction), and the NIST security and programmatic controls contained in 800-53 apply to national security systems. Using the controls in 800-53, this instruction provides categorization and corresponding baseline sets of controls for national security systems. CNSS also recently published a revised common glossary of information security terms in support of the goal of adopting a common lexicon for the national security and non-national security communities.[Footnote 25] This revised glossary harmonizes terminology used by DOD, the intelligence community, and civil agencies (which use a NIST-developed glossary) to enable all three to use the same terminology (and move toward shared documentation and processes). According to the CNSS Secretariat manager, in December 2010 CNSS plans to revise an existing policy, CNSSP 6, to generally direct the use of NIST publications, including SP 800-37 and SP 800-53A, as common guidance and will include related CNSS instructions (if any) on how to implement the NIST guidance for national security systems.[Footnote 26] This will coincide closely with the publication of NIST SP 800-39 and SP 800-30, revision 1. The CNSS manager stated that once common guidance developed jointly with NIST is finalized, CNSS needs to determine whether it will need supplemental instructions because of the uniqueness of national security systems (e.g., their special operating environments or the classified information they contain). However, CNSS officials said that the committee intends to keep this unique guidance to a minimum and use the common security guidance to the maximum extent possible. The joint task force's development schedule lists two additional joint task force publications: * NIST SP 800-39, Enterprise-Wide Risk Management: Organization, Mission, and Information Systems View, planned for publication in January 2011, is to provide an approach for managing that portion of risk resulting from the incorporation of information systems into the mission and business processes of an organization. * NIST SP 800-30, revision 1, Guide for Conducting Risk Assessments, planned for publication in February 2011, is a revision of an existing NIST publication that will be refocused to address risk assessments as part of the risk management framework. In addition to the two planned publications, the joint task force leader and the CNSS Secretariat manager stated that two other publications are under consideration for collaboration: * Guide for Information System Security Engineering, under consideration for publication in September 2011, and: * Guide for Software Application Security, under consideration for publication in November 2011. The estimated completion dates for these future publications are later than originally planned. For example, as of January 2010, SP 800-39 and SP 800-30, revision 1, were to have been completed in August 2010, and the information system security engineering guide was to be completed in October 2010. According to the task force leader, the delays are due to additional work and coordination activities that needed to be completed, the breadth and depth of comments in the review process, and challenges in coordination with other task force members. Task force members acknowledge that there are additional areas of IT security guidance where it may be possible to collaborate, but they have not yet documented plans for future efforts. The CNSS manager stated that the committee intends to update its existing plan of action and milestones in fall 2010, but this has not yet been completed. Until the task force defines topics and deadlines for future efforts, opportunities for additional collaboration will likely be constrained. Differences Remain between Guidance for National Security Systems and Non-National Security Systems: Despite the efforts to harmonize information security guidance, many differences remain. These include differences in system categorization, selection of security controls, and use of program management controls. System categorization. Different methodologies are used to categorize the impact level of the information contained in non-national security systems and national security systems. For non-national security systems, SP 800-53 applies the concept of a high-water mark for categorizing the impact level of the system, as defined in FIPS 199. This means that the system is categorized according to the worst-case potential impact of a loss of confidentiality, integrity, or availability of information or an information system. For example, if loss of confidentiality was deemed to be high impact, but loss of integrity and availability were deemed to be moderate impact, the system would be considered a high-impact system. As a result, SP 800- 53 contains three recommended baselines (starting points) for control selection--low, moderate, and high. By contrast, while national security systems will use the controls in SP 800-53, the impact level will be determined using CNSSI-1253, not FIPS 199. CNSSI-1253 uses a more granular structure in which the potential impact levels of loss of confidentiality, integrity, and availability are individually used to select categorizations. As a result, while FIPS 199 has three impact levels (low, moderate, and high), CNSSI-1253 has 27 (all possible combinations of low, moderate, and high for confidentiality, integrity, and availability). According to an official at NIST, use of the high-water mark is easier for civilian agencies to implement for non-national security systems, and provides a more conservative approach by employing stronger controls by default. According to CNSS, retaining the more granular impact levels reduces the need for subsequent tailoring of controls. Officials involved in the harmonization effort stated that while they may attempt to reconcile the approaches in the future, there are no current plans to do so. Security control selection. In our analysis of NIST and CNSS security control baselines for non-national security systems and national security systems, we determined that the new national security system baselines based on SP 800-53 incorporated almost all of the controls found in comparable non-national security baselines, as well as additional security controls and enhancements.[Footnote 27] For example, a high-impact system under the non-national security system baseline includes 328 controls and subcontrols. The equivalent baseline for a national security system includes 397 controls and subcontrols, out of which 326 were shared between the two baselines. Both CNSS and NIST officials stated that their baselines represent the starting point for determining which controls are appropriate for an individual system and that controls and enhancements may be removed or added as needed in accordance with established guidance. CNSS officials stated that national security systems provide unique capabilities (e.g., intelligence, cryptographic, or command and control), operate in diverse environments, and are subject to advanced cyber threats. As a result, national security systems may require more protection and thus more security controls than non-national security systems. Also, according to CNSS officials, while security controls for non-national security systems are often aimed at a broad IT environment, guidance for national security systems is developed with added specificity and a focus on vulnerabilities, threats, and countermeasures to protect classified information. However, NIST officials noted some non-national security systems may require levels of protection that are equal to the levels for national security systems in order to counter cyber attacks. For example, certain high-impact non-national security systems may be supporting applications that are part of critical infrastructure. Therefore, the mission criticality of some non-national security systems may require the same control techniques used by national security systems to counter cyber attacks. Program management controls. NIST SP 800-53, revision 3, identifies 11 program management controls that agencies are required to implement organizationwide to support all security control baselines for non- national security systems. CNSSI-1253 states that these controls are optional. A CNSS official stated that the implementation of program management controls is optional to give the CNSS community flexibility to implement them in a way that best fits their information security program organizational and operational models. DOD said it plans to address these controls in upcoming revisions to its information security guidance. NIST and CNSS officials acknowledged that differences still exist in the harmonized guidance, and stated that the harmonization process will take time, and not all differences will be resolved during the initial harmonization effort. They stated that they have chosen to focus on issues on which they can readily achieve consensus and, if appropriate, plan to resolve remaining issues in a future revision. Additional Supporting Guidance Is Being Developed for National Security Systems, but Detailed Time Frames for Implementation Have Not Been Established: While much of the harmonized guidance is already in use for non- national security systems, significant work remains to implement the new guidance on national security systems. For non-national security systems, OMB requires that NIST guidance be implemented within 1 year of its publication. The civilian community has been using previous versions of SP 800-53 since February 2005; thus many of the controls have already been available for use for non-national security systems. However, while plans for implementing the harmonized information system guidance within DOD and the intelligence community have begun, full implementation may take years to complete. Department of Defense Faces Challenges in Implementing Harmonized Guidance: While DOD officials have stated that the concepts and content in the harmonized security guidance are similar to those in existing DOD directives and instructions, the implementation process will require substantial time and effort. Officials said that transitioning to the new security controls will require in-depth planning and additional resources, implementation will be incremental, and it will take a number of years to complete. For example, systems that are currently in development may be transitioned to the harmonized guidance, while systems that are already deployed may be transitioned only if the system undergoes a major change before its next scheduled security evaluation or review. In order for DOD to transition to the new harmonized guidance, it plans to first revise its existing 8500 series of guidance. This process includes upcoming revisions to the information security policy documented in its directive 8500.01 and instruction 8500.2, the certification and accreditation process contained in DOD 8510.01, as well as various additional instructions and guidance. The first major step is to release the revised DOD 8500.01 and 8500.2, based on the harmonized joint task force guidance. As seen in table 2, the estimated release date for these revisions is December 2010. After this occurs, DOD plans to develop additional implementation and assessment guidance, technical instructions, and other information. The release dates for these additional items have not yet been established because their development or revision is dependent on the final publication of revisions to the 8500 series guidance. Table 2: Estimated Dates for Revised DOD Guidance and Associated Publications: DOD publication: DODD 8500.01; Estimated publication: December 2010; Dependent on: CNSSI-1253; Estimated publication: Published. DOD publication: DODI 8500.2; Estimated publication: December 2010; Dependent on: NIST SP 800-53; Estimated publication: Published; Dependent on: CNSSI 1253; Estimated publication: Published. DOD publication: DODI 8510.01; Estimated publication: Early 2011; Dependent on: NIST SP 800-37; Estimated publication: Published; Dependent on: CNSSP 6; Estimated publication: December 2010. DOD publication: Other DOD implementation and assessment guides; Estimated publication: To be determined; Dependent on: NIST SP 800-53A; Estimated publication: Published. Source: GAO analysis of DOD and NIST data. [End of table] Once DOD issues guidance for implementing the joint task force's harmonized guidance, officials said that it will take several more years to incorporate the security controls into the systems' security plans. Specifically, the security plans for legacy systems will not be updated until those systems are due for recertification and reaccreditation, which could take place up to 3 years after updated DOD guidance has been released. Furthermore, DOD has not yet established milestones and performance measures for implementing the new guidance pending its issuance. Until the department develops, issues, and implements its revised policy, including guidance on implementation time frames, potential benefits from implementing the harmonized guidance, such as reduced duplication of effort, will not be realized. Intelligence Community Faces Challenges in Implementing Harmonized Guidance: While the intelligence community has taken steps to transition to the harmonized guidance, it faces challenges in doing so, such as developing detailed transition plans with milestones and resources for implementation. The intelligence community has established broad transition guidance in the form of directives and standards that direct the use of CNSS policy and guidance, which in turn point to the harmonized NIST guidance.[Footnote 28] The community has also developed a high-level transition plan, based on planned publication dates of harmonized guidance. In addition, guidance issued in May 2010 also states that each organization within the intelligence community shall establish its own internal transition plan and timeline based on organization- specific factors. However, officials stated that the effort required to implement the new controls is significant in terms of the number of systems and their criticality and that implementation must be carried out in a careful, measured way. Furthermore, SP 800-53A, the publication used to assess the controls in SP 800-53, was not published until June 2010. According to CNSS and intelligence community officials, SP 800- 53A needed to be issued before these agencies could complete their implementation instructions for SP 800-53 controls. Therefore, CNSS has not established policies with specific time frames for implementation of these controls. The manager of CNSS said that the transition will be incremental, and will vary based on the complexity of the systems involved. For example, difficult-to-service embedded systems that have already been authorized, such as satellite systems, may use the current set of controls until the systems are removed from operation. An ODNI review of intelligence community implementation plans identified several potential challenges with implementing harmonized guidance. According to ODNI's overall transition plan issued in November 2009, a review of intelligence agency transition plans raised concerns, including the following: * Most agencies want policies and standards to be in place before implementing the transition. * The transition is likely to take 3 to 5 years after implementation guidance is provided. * A phased approach is desirable and needed, but performance measures and milestones have not been defined. * Resources, and the appropriate expertise, will need to be planned and available to implement the harmonized guidance. The NSA official responsible for approving the operation of information systems confirmed these concerns. For example, she stated that a phased implementation approach is necessary because the agency would not be able to reaccredit and recertify all of its systems at once. Additionally, she stated that it is difficult to establish milestones and performance measures because the security of a system cannot easily be quantified. However, federal guidance and our prior work have emphasized the importance of tools such as a schedule and means to track progress to the success of IT efforts. Until supporting implementation plans with milestones, performance measures, and identified resources are developed and approved to implement the harmonized guidance, the benefits realized by the intelligence community from the harmonization effort will likely be constrained. Key Practices May Enhance Long-Term Project Success: In prior work, we identified key practices that can help federal agencies to enhance and sustain collaboration efforts, such as the joint task force effort to harmonize information security guidance. [Footnote 29] The practices include the following: * Defining and articulating a common outcome. The compelling rationale for agencies to collaborate can be imposed externally through legislation or other directives or can come from the agencies' own perceptions of the benefits they can obtain from working together. * Establishing mutually reinforcing or joint strategies to achieve the outcome. Agency strategies that work in concert with those of their partners help in aligning the partner agencies' activities, core processes, and resources to accomplish the common outcome. * Identifying and addressing needs by leveraging resources. Collaborating agencies bring different levels of resources and capacities to the effort. By assessing their relative strengths and limitations, collaborating agencies can look for opportunities to address resource needs by leveraging each other's resources, thus obtaining additional benefits that would not be available if they were working separately. * Agreeing upon agency roles and responsibilities. Collaborating agencies should work together to define and agree on their respective roles and responsibilities, including how the collaborative effort will be led. In doing so, agencies can clarify who will do what, organize their joint and individual efforts, and facilitate decision making. * Establishing compatible policies, procedures, and other means to operate across agency boundaries. To facilitate collaboration, agencies need to address the compatibility of artifacts such as standards and policies that will be used in the collaborative effort. * Developing mechanisms to monitor, evaluate, and report the results of collaborative efforts. Federal agencies engaged in collaborative efforts need to create the means to monitor and evaluate their efforts to enable them to identify areas for improvement. Reporting on these activities can help key decision makers within the agencies, as well as clients and stakeholders, to obtain feedback for improving both policy and operational effectiveness. * Reinforcing agency accountability for collaborative efforts through agency plans and reports. Federal agencies can use their strategic and annual performance plans as tools to drive collaboration with other agencies and partners and establish complementary goals and strategies for achieving results. Such plans can also reinforce accountability for the collaboration by aligning agency goals and strategies with those of the collaborative efforts. Joint task force efforts in each of these key practice areas are described in table 3. Table 3: Joint Task Force Efforts in Key Practice Areas: Key practice: Defining and articulating a common outcome; Task force activity: The joint task force has developed a schedule that identifies the publications and time frames agreed to as an outcome of its work. Additionally, according to agency officials, NIST and CNSS have recognized the potential benefits of harmonized guidance and have collaborated through regular meetings to discuss joint work goals to support the common outcome of harmonized guidance. Task force members acknowledge that there are many areas of IT security guidance where it may be possible to collaborate, but they have not yet documented plans for future efforts. The CNSS manager stated that the committee intends to update its existing plan of action and milestones in fall 2010, but this has not yet been completed. Key practice: Establishing mutually reinforcing or joint strategies to achieve the outcome; Task force activity: NIST is an active participant in the annual CNSS Conference, in which discussions take place on the strategic direction for the development of policies, directives, and instructions for national security systems. One product of this conference is the plan of actions and milestones, which CNSS uses as a strategy to guide its activities. For example, the 2009 plan contained commitments to further participate in harmonization activities and to develop more CNSS guidance that supported achieving the outcome of use of the harmonized guidance. Key practice: Identifying and addressing needs by leveraging resources; Task force activity: Members of the joint task force, including NIST, CNSS, and NSA, work together to leverage resources and staff the groups that work on harmonizing the individual publications. However, the task force does not have an overall means of leveraging resources, such as a project plan or other document that addresses needs or identifies resources necessary to produce its publications. Key practice: Agreeing upon agency roles and responsibilities; Task force activity: According to task force members, there is an agreed-upon structure for the joint task force. NIST is the leader, and DOD and ODNI contribute resources as needed. However, there is no documentation of these roles and responsibilities in a charter, project plan, memorandum of understanding, or other written agreement among project participants. Key practice: Establishing compatible policies, procedures, and other means to operate across agency boundaries; Task force activity: CNSS has drafted a program of work and a plan of actions and milestones defining the committee's work for the upcoming year that includes harmonization of security guidance, which is the overall effort to establish compatible policies and procedures across agency boundaries. CNSS is also developing supporting guidance, such as CNSSI-1253, that directs agencies to implement the NIST publications. Furthermore, ODNI has updated its policies in support of the harmonization effort. Intelligence Community Directive 503, which is issued by ODNI, directs the use of CNSSI-1253, which, as stated above, has been harmonized with NIST guidance. The revision of existing DOD information security guidance to incorporate the harmonized guidance is still in progress. Key practice: Developing mechanisms to monitor, evaluate, and report the results of collaborative efforts; Task force activity: NIST publishes a schedule containing time frames for developing the task force publications that can be used to monitor the status of collaborative efforts, although two publications originally planned for release in August 2010 have been delayed until early 2011. CNSS is developing guidance, including a mechanism to monitor implementation of its instructions. The Federal CIO Council has also reported on harmonization efforts in its strategic plan. However, performance measures or mechanisms to routinely monitor, evaluate, and report on either publication development or implementation status have not been established. Key practice: Reinforcing agency accountability for collaborative efforts through agency plans and reports; Task force activity: NIST reported on plans for and progress of efforts to harmonize IT security guidance in its Computer Security Division 2009 annual report. CNSS also reported on plans for and progress of harmonization in its April 2009 annual report. However, while CNSS policies direct it to report on the progress of implementation of its issuances, including the harmonized guidance, according to the CNSS manager, this report has not been produced. Source: GAO analysis of joint task force member data. [End of table] To date, the task force has been successful in its efforts while having few documented or formalized processes. Task force officials stated that they believe this structure has been very effective for harmonizing information security guidance and that the success of the effort can be measured by the results achieved to date. These include the publication of three documents, planned publication of two more, and proposed future development of two additional ones. They also stated that the distinction between national security systems and non- national security systems has existed for many years, and this was the first successful effort to harmonize guidance. Officials said that key to the project's success has been strong management and technical leadership. Participants also stated that they felt the effort's informality, flexibility, and agility were strengths. Participants acknowledged that fuller implementation of key practices, such as documenting identification of needs and leveraging of resources to address those needs, agreed-to roles and responsibilities, and monitoring and reporting on the results of its efforts, were missing; however, the officials stated that the task force has been a significant success and that more formal management practices could have been counterproductive and ineffective. For example, the task force leader stated that establishing these practices before the task force had demonstrated results would have been difficult. He stated that now that task force members have established positive relationships and become dependent on each other for technical knowledge, establishing more formal management practices may be easier. While the task force's approach to managing the harmonization effort may not have hindered development to date, plans for future publications have slipped, in part because of the challenges of coordinating such a cross-agency effort. As the task force continues its efforts and approaches additional areas, fuller implementation of key practices, such as those that assign responsibilities and measure progress, would likely enhance its ability to sustain harmonization efforts as personnel change and resources are allocated among other agency activities. Conclusions: Efforts to harmonize policies and guidance for national security systems and non-national security systems have made progress in producing elements of a unified information security framework. The guidance published and scheduled for publication by the joint task force constitutes a key part of the foundation of the unified framework. The task force has proposed two additional publications for consideration and acknowledged the possibility of future areas for collaboration, but plans for additional activities have yet to be finalized. The harmonization effort has the potential to reduce duplication of effort and allow more effective implementation of information security controls across interconnected systems. To fully realize the benefits of the harmonized guidance, additional work remains to implement it. For example, supporting guidance and dates for implementation and performance measures have not been established for DOD and the intelligence community. Although, to date, the lack of documented management practices and processes has not significantly hindered the task force, as more difficult areas for harmonization are addressed, personnel change, and other agency priorities make demands upon resources, implementation of key practices for collaboration may help the task force further its progress. Recommendations for Executive Action: To assist the joint task force in continuing its efforts to establish harmonized guidance and policies for national security systems and non- national security systems, we are making the following five recommendations. We recommend that the Secretary of Commerce direct the Director of NIST to collaborate with CNSS to: * complete plans to identify future areas for harmonization efforts, and: * consider how implementing elements of key collaborative practices, such as documenting roles and responsibilities, needs, resources, and monitoring and reporting mechanisms, may serve to sustain and enhance the harmonization effort. We also recommend that the Secretary of Defense direct CNSS to: * collaborate with NIST to complete plans to identify future areas for harmonization efforts; * collaborate with its member organizations, including both DOD and the intelligence community, to include milestones and performance measures in their plans to implement the harmonized CNSS policies and guidance; and: * collaborate with NIST to consider how implementing elements of key collaborative practices, such as documenting roles and responsibilities, needs, resources, and monitoring and reporting mechanisms, may serve to sustain and enhance the harmonization effort. Agency Comments and Our Evaluation: In written comments on a draft of this report, the Secretary of Commerce concurred with our conclusions that the Departments of Commerce and Defense update plans for future collaboration, establish timelines for implementing revised guidance, and fully implement key practices for interagency collaboration in the harmonization effort. In a separate e-mail message, the NIST audit liaison clarified that Commerce also concurred with each recommendation. The department also provided technical comments, which we incorporated in the draft as appropriate. Comments from the Department of Commerce are reprinted in appendix II. In oral comments on a draft of this report, the Senior Policy Advisor for DOD's Information Assurance and Strategy Directorate, within the Office of the Assistant Secretary of Defense (Networks and Information Integration)/DOD CIO, stated that DOD concurred with our recommendations. In addition, the CNSS manager stated in an e-mail message that the report is complete and that CNSS concurred without comment. We also provided a draft of this report to OMB and ODNI, to which we did not make recommendations, and they both stated that they had no comments. We are sending copies of this report to interested congressional committees, the Secretary of Commerce, and the Secretary of Defense. In addition, this report will be available at no charge on the GAO Web site at [hyperlink, http://www.gao.gov]. If you or your staff have any questions about this report, please contact me at (202) 512-6244 or at wilshuseng@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. Key contributors to this report are listed in appendix III. Sincerely, Signed by: Gregory C. Wilshusen: Director, Information Security Issues: [End of section] Appendix I: Objective, Scope, and Methodology: The objective of our review was to assess the progress of federal efforts to harmonize policies and guidance for national security systems and non-national security systems. To do this, we focused on the Joint Task Force Transformation Initiative Interagency Working Group and supporting agencies within the civil, defense, and intelligence communities.[Footnote 30] Specifically, we identified actions taken and planned by the Joint Task Force Transformation Initiative Interagency Working Group to harmonize information security guidance. To do this, we reviewed program plans, schedules, and performance measures related to the harmonization efforts. We also obtained and reviewed current information technology security policies, guidance, and other documentation for national security systems and non-national security systems and then conducted interviews with officials from the National Institute of Standards and Technology (NIST), Committee on National Security Systems (CNSS), Department of Defense (DOD), Office of the Director of National Intelligence (ODNI), National Security Agency (NSA), and Office of Management and Budget (OMB) to identify differences in existing guidance and plans to resolve these differences. We also assessed efforts against criteria including prior GAO work on key practices to sustain and enhance cross-agency collaboration. We performed this assessment by reviewing documents and interviewing agency officials from NIST, CNSS, DOD, ODNI, NSA, and OMB. We identified evidence of key practices, such as documented roles and responsibilities, and mechanisms to monitor, evaluate, and report on progress, and verified our assessment with agency officials. We conducted this performance audit from February 2010 through September 2010 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objective. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objective. [End of section] Appendix II: Comments from the Department of Commerce: United States Department Of Commerce: The Secretary of Commerce: Washington, D.C. 20230: August 27, 2010: Mr. Gregory C. Wilshusen: Director, Information Security Issues: U.S. Government Accountability Office: Washington, DC 20548: Dear Mr. Wilshusen: Thank you for the opportunity to comment on the draft report from the U.S. Government Accountability Office (GAO) entitled "Information Security: Progress Made on Harmonizing Policies for National Security and Non-National Security Systems" (GA0-10-916). We concur with the report's conclusions that the Department of Commerce and the Department of Defense (DoD) update plans for future collaboration, establish timelines for implementing revised guidance, and implement fully key practices for interagency collaboration in the harmonization effort. We also feel that the draft report does an outstanding job at highlighting the National Institute of Standards and Technology's (NIST) leadership in this effort. The Department of Commerce would like to offer the comments in the attached document regarding the GAO's conclusions. We are looking forward to receiving your final report and continuing discussions with GAO regarding its conclusions. Please contact Rachel Kinney at (301) 957-8707 should you have any questions regarding this response. Sincerely: Signed by: Gary Locke: [End of section] Appendix III: GAO Contact and Staff Acknowledgments: GAO Contact: Gregory C. Wilshusen, (202) 512-6244 or wilshuseng@gao.gov: Staff Acknowledgments: In addition to the contact name above, individuals making contributions to this report included Vijay D'Souza (assistant director), Neil Doherty, Thomas J. Johnson, Lee McCracken, David Plocher, Harold Podell, and John A. Spence. [End of section] Footnotes: [1] As defined in FISMA, the term "national security system" means any information system used by or on behalf of a federal agency that (1) involves intelligence activities, national security-related cryptologic activities, command and control of military forces, or equipment that is an integral part of a weapon or weapons system, or is critical to the direct fulfillment of military or intelligence missions (excluding systems used for routine administrative and business applications) or (2) is protected at all times by procedures established for handling classified national security information. See 44 U.S.C. § 3542(b)(2). For the purposes of this report, systems that do not meet the criteria for national security systems are referred to as non-national security systems. [2] The differing treatment of national security and non-national security systems reflects a long-standing division in laws that limit civilian management oversight of military and intelligence information systems by excluding national security systems from the "information technology" overseen by the civilian agencies. OMB authority over such systems is limited in FISMA (44 U.S.C. § 3543(b)), in the Paperwork Reduction Act (44 U.S.C. § 3502(9)), and in the Clinger-Cohen Act (40 U.S.C. § 11103). NIST authority is limited by 15 U.S.C. § 278g- 3(a)(2), as amended by FISMA, but also under the prior language of the Computer Security Act of 1987 (Pub. L. 100-235, Jan. 8, 1988). These limitations are variations of a provision, known as the "Warner Amendment," added to the DOD Authorization Act of 1982, which exempted DOD procurement of national security systems from General Services Administration oversight under the Brooks Act (then-40 U.S.C. § 759). Pub. L. 97-86, title IX, § 908(a)(1), Dec. 1, 1981; 10 U.S.C. § 2315. [3] In addition to placing limitations on OMB's authority over national security systems, FISMA permits further independence from OMB oversight for Department of Defense and Central Intelligence Agency systems where loss of security would have a debilitating impact on the mission of either agency, 44 U.S.C. 3543(c). More generally, FISMA also states that it does not affect authorities otherwise granted an agency with regard to national security systems (as well as requirements under the Atomic Energy Act of 1954), Sec. 301(c), Pub. L. 107-347 (116 Stat. 2955); 44 U.S.C. 3501 note. [4] National Security Directive 42, National Policy for the Security of National Security Telecommunications and Information Systems, July 5, 1990. [5] NIST, Guide for Applying the Risk Management Framework to Federal Information Systems, SP 800-37, revision 1 (Gaithersburg, Md.: February 2010). [6] NIST, Guide for Applying the Risk Management Framework to Federal Information Systems, SP 800-37, revision 1, was formerly NIST, Guide for the Certification and Accreditation of Federal Information Systems, SP 800-37. The risk management framework replaces the process known as certification and accreditation described in the previous version of SP 800-37. [7] NIST, Standards for Security Categorization of Federal Information and Information Systems, FIPS Publication 199 (Gaithersburg, Md.: February 2004). [8] NIST, Guide for Mapping Types of Information and Information Systems to Security Categories, SP 800-60, revision 1 (Gaithersburg, Md.: August 2008). [9] NIST, Minimum Security Requirements for Federal Information and Information Systems, FIPS Publication 200 (Gaithersburg, Md.: March 2006). [10] NIST, Recommended Security Controls for Federal Information Systems and Organizations, SP 800-53, revision 3 (Gaithersburg, Md.: August 2009). [11] NIST, National Checklist Program for IT Products--Guidelines for Checklist Users and Developers, SP 800-70, revision 1 (Gaithersburg, Md.: September 2009). [12] NIST maintains the National Checklist Repository, which is a publicly available resource that contains a variety of security configuration checklists for specific IT products or categories of IT products. [13] NIST, Guide for Assessing the Security Controls in Federal Information Systems, SP 800-53A (Gaithersburg, Md.: June 2010). [14] National Security Directive 42, National Policy for the Security of National Security Telecommunications and Information Systems, July 5, 1990. [15] The departments and agencies with voting representatives are the Departments of Commerce, Defense, Energy, Homeland Security, Justice, State, Transportation, and the Treasury; the Central Intelligence Agency; the Defense Intelligence Agency; the Federal Bureau of Investigation; the General Services Administration; the National Security Agency; the National Security Council; the Office of the Director of National Intelligence; the Office of Management and Budget; the Joint Chiefs of Staff; the Air Force; the Army; the Marine Corps; and the Navy. [16] CNSS Policy 22, Information Assurance Risk Management Policy for National Security Systems, February 2009. [17] CNSS Policy 6, National Policy on Certification and Accreditation of National Security Telecommunications and Information Systems, October 2005. [18] National Security Directive 42, National Policy for the Security of National Security Telecommunications and Information Systems, July 5, 1990. [19] CNSS Instruction 4009 (CNSSI 4009), National Information Assurance Glossary, June 2006. [20] The organizations are the Central Intelligence Agency, Defense Intelligence Agency, Department of Energy (Office of Intelligence and Counterintelligence), Department of Homeland Security (Office of Intelligence and Analysis), Department of State (Bureau of Intelligence and Research), Department of the Treasury (Office of Intelligence and Analysis), Drug Enforcement Administration (Office of National Security Intelligence), Federal Bureau of Investigation (National Security Branch), National Geospatial-Intelligence Agency, National Reconnaissance Office, National Security Agency/Central Security Service, United States Air Force, United States Army, United States Coast Guard, United States Marine Corps, United States Navy, and Office of the Director of National Intelligence. [21] Director of Central Intelligence Directive 6/3, Protecting Sensitive Compartmented Information within Information Systems-- Policy, June 5, 1999. [22] The Federal CIO Council is an interagency forum for improving agency IT practices. The council, chaired by OMB, coordinates with NIST and CNSS on the development of harmonized information system guidance. [23] Federal Information Management Strategic Plan, Federal Chief Information Officers Council Framework (Fiscal Years 2010-2013), January 26, 2010. [24] The assessment and authorization process replaces the process known as certification and accreditation described in the previous version of SP 800-37. [25] CNSS Instruction 4009, National Information Assurance (IA) Glossary, April 26, 2010. [26] CNSS Policy 6, National Policy on Certification and Accreditation of National Security Systems, October 2005. [27] A security control baseline is the set of minimum security controls defined for a low-impact, moderate-impact, or high-impact information system. [28] These include Intelligence Community Directive 503, dated September 2008, which establishes intelligence community policy for IT systems security risk management and certification and accreditation, and Standard 503-2, which directs the intelligence community to use CNSSI-1253 as the authoritative source for categorizing and selecting security controls. [29] GAO, Results-Oriented Government: Practices That Can Help Enhance and Sustain Collaboration among Federal Agencies, [hyperlink, http://www.gao.gov/products/GAO-06-15] (Washington D.C.: Oct. 21, 2005). [30] The agencies include the National Institute of Standards and Technology, Committee on National Security Systems, U.S. Department of Defense, Office of the Director of National Intelligence, National Security Agency, and Office of Management and Budget. [End of section] GAO's Mission: The Government Accountability Office, the audit, evaluation and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each weekday, GAO posts newly released reports, testimony, and correspondence on its Web site. To have GAO e-mail you a list of newly posted products every afternoon, go to [hyperlink, http://www.gao.gov] and select "E-mail Updates." Order by Phone: The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s Web site, [hyperlink, http://www.gao.gov/ordering.htm]. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: E-mail: fraudnet@gao.gov: Automated answering system: (800) 424-5454 or (202) 512-7470: Congressional Relations: Ralph Dawn, Managing Director, dawnr@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, D.C. 20548: Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, D.C. 20548: