Comments
Defense Department Adopts NIST Security Standards
Newest First  |  Oldest First  |  Threaded View
jmyerson
100%
0%
jmyerson,
User Rank: Apprentice
6/7/2014 | 6:04:19 AM
Participation in the Control Correlation Identification efforts
Thanks for the article.

A draft version of the CCI List conforming to CCI version 2 is now available. This list contains CCIs derived from NIST SP 800-53.

Participation from the members of the Information Security Community in the CCI efforts is encouraged. You can provide feedback on the CCI list, disa.letterkenny.FSO.list.cci@mail.mil. You may also provide comments using the CCI Comment Matrix.
WKash
100%
0%
WKash,
User Rank: Author
3/17/2014 | 7:18:30 PM
Re: DISA CCIs
Thanks for noting DISA's role in mapping DOD's controls to NIST's. l'm sure you're right, that's hugely valuable to developers.

 
WKash
100%
0%
WKash,
User Rank: Author
3/17/2014 | 7:15:27 PM
Re: Industry inflection point
Yes this is an inflection point for DOD, and the federal government, and a credit to the work NIST does in finding the common ground.  The only downside is it took NIST and DOD 5 years to reach this point.
JudyD173
100%
0%
JudyD173,
User Rank: Apprentice
3/14/2014 | 6:01:53 PM
Re: Smart move
I agree.  NIST has been leading the way on this for a long time.  With DoD on board, it just makes the case that much stronger.  As a result, life will be much simpler at DoD.
Kevin_Jackson
100%
0%
Kevin_Jackson,
User Rank: Apprentice
3/14/2014 | 3:48:30 PM
Industry inflection point
This decision marks an important inflection point for the US federal marketplace. By accepting the NIST Security Standards, the DoD is demostrating strong support for a government-wide IT management and governance paradigm. This also supports a consistent cycbersecurity model and bodes well for the current adoption of cloud computing services.
DanielC558
100%
0%
DanielC558,
User Rank: Apprentice
3/14/2014 | 1:38:04 PM
From a developer / Architect point of view
As a developer / architect, we have to learn a wide variety of different environments, and when we have multiple confusing sets of standards we have to meet, depending on the customer being one federal agency or another, it's more challenging to be successful.

In most environments I have worked security is an after thought.   To do security right, it needs to be baked into the design, and for that to happen, we need clear standards for how to achieve it in a given environment / tool set.

This sounds like a step forward on how to achieve that.   I look forward to learning more about it.
LenMarzigliano
100%
0%
LenMarzigliano,
User Rank: Apprentice
3/14/2014 | 12:06:47 PM
DISA CCIs
I think one of the secret sauce ingredients to a successful 'baked in' DoD RMF system implementation is the DISA CCIs (Control Correlation Identifiers).  Many haven't noticed, but DISA FSO has been re-writing and re-wiring all of the STIGs (Security Technical Implementation Guires for product-specific technologies) based on their SRGs (product-agnostic Security Requirements Guides), which are built from combined IA requirements (NIST controls, CYBERCOM CTOs, etc.)  

Read any of the CCIs, and it quickly becomes obvious that DISA literally ran a Cartesian Product style breakdown of every control/enhancement in the NIST library, meaning if a control calls for A, B, and C to be done on X, and Y, then six CCIs were created to handle every aggregate requirement (A on X, A on Y, B on X, etc.)  This may seem trivial, but when engineers/developers are given these as design/development requirements, guess what?  They respond!  They appreciate the clear/concise breakdown, and they will execute on it accordingly.

I'm constantly evangelizing that IA does not have to be adversarial.  If it is, you're doing it wrong.  The NIST controls and DISA CCIs go a long way toward achieving that.  
WKash
100%
0%
WKash,
User Rank: Author
3/14/2014 | 11:24:49 AM
Smart move
This decision comes as welcome news.  NIST's risk management framework, and its related documents (linked in this story), including 800-53 Rev 4, indeed take a more holistic approach to information assurance and security.  That DOD CIO Teri Takai and her team were able to get this decision to the goal line, and get DOD to move from DIACAP to NIST standards, and thus create one standard across the federal government, is a BIG deal.  


The Business of Going Digital
The Business of Going Digital
Digital business isn't about changing code; it's about changing what legacy sales, distribution, customer service, and product groups do in the new digital age. It's about bringing big data analytics, mobile, social, marketing automation, cloud computing, and the app economy together to launch new products and services. We're seeing new titles in this digital revolution, new responsibilities, new business models, and major shifts in technology spending.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - August 27, 2014
Who wins in cloud price wars? Short answer: not IT. Enterprises don't want bare-bones IaaS. Providers must focus on support, not undercutting rivals.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.