Cloud // Software as a Service
News
8/6/2009
04:44 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

NIST Lab Director Tackles Cybersecurity, Cloud Computing

Cita Furlani explains the nuts-and-bolts work of defining key government IT standards and the job of working with federal agencies on adoption and implementation.

The National Institute of Standards and Technology's IT Laboratory plays a key role in government cybersecurity, setting standards that federal agencies are required to follow. InformationWeek discussed NIST's role, including the fine line between setting standards and setting policy, with Cita Furlani, director of NIST's IT Lab.

InformationWeek: How would you describe NIST's cybersecurity role, and how NIST influences what federal CIOs and IT professionals implement?

Furlani: We have the mandate from Congress under the Federal Information Systems Management Act that we develop standards, and once they become a Federal Information Processing Standard, agencies have the requirement of actually using the standards. Mostly we limit our FIPS development to very core technologies. The encryption modules and the Personal Identity Verification standards are the most recent, the most visible at least. Most of the rest of what we do is really considered guidelines; it's not mandated.

InformationWeek: How do you work with the federal IT crowd? They must say, 'How do we actually implement this stuff?' Do you get peppered with a lot of questions?

Furlani: Oh yes. We have a large outreach effort. The staff is out with these research activities, they're out with CIO Council. We publish everything first as a draft publication for public comment from government agencies as well as anybody else. Sometimes some of that is put out for a second draft when you get enough comments back. When we are publishing FIPS, we make available every public comment and every response to a public comment.

InformationWeek: When a FIPS document goes out, after the FIPS 140-2 encryption standard got released, for example, a slew of vendors say, 'Our USB key is encrypted to 140-2 compliance.'

Furlani: We have a certification program in place under our sister laboratory, the Technology and Services Laboratory, the National Voluntary and Accredited Laboratory Program. There are accredited labs that certify whether a particular piece of software meets the crypto requirements, and then those are published on our Web site.

InformationWeek: What about recommended actions? You've recently put out a final document called Special Document 800-53 for recommended security controls for federal information systems, for example.

Furlani: The way 800-53 is designed, you need to understand what level of risk you are taking before you understand what level of controls you're going to implement. It's like locking your house. You can lock everything down with double locks and everything else if there's something in some room you really want to protect, but typically because you want to go in and out more easily, you don't protect your house at the level you could. What we've tried to do is give system managers that trade-off for understanding what mechanisms to use. If you've got a low risk system, you can choose from among this set, if you've got a high risk system, you can chose among an additional set.

InformationWeek: Why is 800-53 an important publication?

Furlani: Primarily because it's so needed to understand why you're making these decisions. Another incredibly important part is that we do not have a mandate for the intelligence community, but they are engaged and helped define what the goals are, as well as the Department of Defense. So really for the first time, we have a baseline set of controls across the entire federal sweep of agencies, by voluntarily agreeing what those should be.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
8 Steps to Modern Service Management
8 Steps to Modern Service Management
ITSM as we know it is dead. SaaS helped kill it, and CIOs should be thankful. Hereís what comes next.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest September 18, 2014
Enterprise social network success starts and ends with integration. Here's how to finally make collaboration click.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.