U.S. ONDI and DOD Standardizing Security Policies

The Office of the National Director of National Intelligence (ONDI) and the Department of Defense (DoD) announced they are going to standardize their information security policies.
The work on the standardization started 8 months ago.

Wouldn’t it be great if all the government agencies could standardize their information security practices to be unified across the board?
The ODNI and Dod will:

* Define a common set of trust levels so both departments share information and connect systems more easily.
* Adopt reciprocity agreements to reduce systems development and approval time.
* Define common security controls using the National Institute of Standards and Technology’s Special Publication 800-53 as a starting point.
* Agree to common definitions and an understanding of security terms, starting with the Committee on National Security Systems 4009 glossary as a baseline.
* Implement a senior risk executive function to base an enterprise view of all factors, including mission, IT, budget and security.
* Operate IT security within the enterprise operational environments, enabling situational awareness and command and control.
* Institute a common process to incorporate security engineering within life cycle processes.

Too bad they did not explicitly state anything about standardizing mobile computing and encryption. Their list seems focused on the network and applications architecture and development processes. However it is certainly needed and a step in the right direction. All organizations need to incorporate information security and privacy into every phase of the systems development life cycle (SDLC).
It is good they explicitly stated awareness would be addressed; awareness and training are woefully insufficient within many organizations. Hopefully it will be effective and ongoing.
These are basic, common sense security practices. If all government agencies established common, strong, comprehensive information security practices, and then actually enforced them, we would see fewer security incidents and privacy breaches.
BTW, the NIST SP800-53 document and CNSS 4009 glossary are great resources for all organizations to use in their information assurance efforts.

Tags: , , , , , , , ,

Leave a Reply