NIST Lab Director Tackles Cybersecurity, Cloud Computing
Cita Furlani explains the nuts-and-bolts work of defining key government IT standards and the job of working with federal agencies on adoption and implementation.
The National Institute of Standards and Technology's IT Laboratory plays a key role in government cybersecurity, setting standards that federal agencies are required to follow. InformationWeek discussed NIST's role, including the fine line between setting standards and setting policy, with Cita Furlani, director of NIST's IT Lab.
InformationWeek: How would you describe NIST's cybersecurity role, and how NIST influences what federal CIOs and IT professionals implement?
Furlani: We have the mandate from Congress under the Federal Information Systems Management Act that we develop standards, and once they become a Federal Information Processing Standard, agencies have the requirement of actually using the standards. Mostly we limit our FIPS development to very core technologies. The encryption modules and the Personal Identity Verification standards are the most recent, the most visible at least. Most of the rest of what we do is really considered guidelines; it's not mandated.
InformationWeek: How do you work with the federal IT crowd? They must say, 'How do we actually implement this stuff?' Do you get peppered with a lot of questions?
Furlani: Oh yes. We have a large outreach effort. The staff is out with these research activities, they're out with CIO Council. We publish everything first as a draft publication for public comment from government agencies as well as anybody else. Sometimes some of that is put out for a second draft when you get enough comments back. When we are publishing FIPS, we make available every public comment and every response to a public comment.
InformationWeek: When a FIPS document goes out, after the FIPS 140-2 encryption standard got released, for example, a slew of vendors say, 'Our USB key is encrypted to 140-2 compliance.'
Furlani: We have a certification program in place under our sister laboratory, the Technology and Services Laboratory, the National Voluntary and Accredited Laboratory Program. There are accredited labs that certify whether a particular piece of software meets the crypto requirements, and then those are published on our Web site.
InformationWeek: What about recommended actions? You've recently put out a final document called Special Document 800-53 for recommended security controls for federal information systems, for example.
Furlani: The way 800-53 is designed, you need to understand what level of risk you are taking before you understand what level of controls you're going to implement. It's like locking your house. You can lock everything down with double locks and everything else if there's something in some room you really want to protect, but typically because you want to go in and out more easily, you don't protect your house at the level you could. What we've tried to do is give system managers that trade-off for understanding what mechanisms to use. If you've got a low risk system, you can choose from among this set, if you've got a high risk system, you can chose among an additional set.
InformationWeek: Why is 800-53 an important publication?
Furlani: Primarily because it's so needed to understand why you're making these decisions. Another incredibly important part is that we do not have a mandate for the intelligence community, but they are engaged and helped define what the goals are, as well as the Department of Defense. So really for the first time, we have a baseline set of controls across the entire federal sweep of agencies, by voluntarily agreeing what those should be.
IT Service Management Must EvolveThe idea of technology being delivered as a service appeals to the 409 IT pros responding to our Service-Oriented IT Survey. But cloud providers are competing for that work, and CIOs are being selective.