The National Institute of Standards and Technology's IT Laboratory plays a key role in government cybersecurity, setting standards that federal agencies are required to follow. InformationWeek discussed NIST's role, including the fine line between setting standards and setting policy, with Cita Furlani, director of NIST's IT Lab.

InformationWeek: How would you describe NIST's cybersecurity role, and how NIST influences what federal CIOs and IT professionals implement?

Furlani: We have the mandate from Congress under the Federal Information Systems Management Act that we develop standards, and once they become a Federal Information Processing Standard, agencies have the requirement of actually using the standards. Mostly we limit our FIPS development to very core technologies. The encryption modules and the Personal Identity Verification standards are the most recent, the most visible at least. Most of the rest of what we do is really considered guidelines; it's not mandated.

InformationWeek: How do you work with the federal IT crowd? They must say, 'How do we actually implement this stuff?' Do you get peppered with a lot of questions?

Furlani: Oh yes. We have a large outreach effort. The staff is out with these research activities, they're out with CIO Council. We publish everything first as a draft publication for public comment from government agencies as well as anybody else. Sometimes some of that is put out for a second draft when you get enough comments back. When we are publishing FIPS, we make available every public comment and every response to a public comment.

InformationWeek: When a FIPS document goes out, after the FIPS 140-2 encryption standard got released, for example, a slew of vendors say, 'Our USB key is encrypted to 140-2 compliance.'

Furlani: We have a certification program in place under our sister laboratory, the Technology and Services Laboratory, the National Voluntary and Accredited Laboratory Program. There are accredited labs that certify whether a particular piece of software meets the crypto requirements, and then those are published on our Web site.

InformationWeek: What about recommended actions? You've recently put out a final document called Special Document 800-53 for recommended security controls for federal information systems, for example.

Furlani: The way 800-53 is designed, you need to understand what level of risk you are taking before you understand what level of controls you're going to implement. It's like locking your house. You can lock everything down with double locks and everything else if there's something in some room you really want to protect, but typically because you want to go in and out more easily, you don't protect your house at the level you could. What we've tried to do is give system managers that trade-off for understanding what mechanisms to use. If you've got a low risk system, you can choose from among this set, if you've got a high risk system, you can chose among an additional set.

InformationWeek: Why is 800-53 an important publication?

Furlani: Primarily because it's so needed to understand why you're making these decisions. Another incredibly important part is that we do not have a mandate for the intelligence community, but they are engaged and helped define what the goals are, as well as the Department of Defense. So really for the first time, we have a baseline set of controls across the entire federal sweep of agencies, by voluntarily agreeing what those should be. InformationWeek: How applicable is current FISMA guidance to cloud computing?

Furlani: A lot of what needs to be clear is a good definition of what we're talking about before we can start saying how you might protect it. Then, looking at the trade-offs between security and privacy, usability, how you can scale identity management; there are many research-related issues here. How do you measure a truly secure system, and against what risk levels are you trying to measure?

InformationWeek: In an area like cloud computing, which is amorphous and widely defined and still in a developmental phase, how does that play out? How do you pick and choose your battles of what to define as standards now versus what to do later?

Furlani: It can and will be an enormous savings if we can figure out how to do it correctly, and I think that's what we're all struggling with, both Vivek Kundra, GSA, and the CIOs in general. I co-chair a subcommittee of the CIO Council that helps identify some of these ongoing technology infrastructure constraints; it's the subcommittee under the Architecture and Information Committee, the Technology Infrastructure Committee. We actually have the change, control responsibilities for the Federal Desktop Core Configuration and IPv6, so I'm in the thick of thinking about what the government should do about cloud computing, both with NIST and with the CIO architectural control community. Actually defining what cloud computing is is number one, and number two is figuring out where there should be standards.

InformationWeek: While the government has been pushing IPv6 for some time, standardization has begun to take final shape, and there are requirements that soon everything new has to be IPv6. How do you get the testing program ramped up?

Furlani: We put out the government profile of what the government should expect from IPv6 and what should be measured. With the labs, we're setting up accreditation programs that we can do the same kinds of work, with the University of New Hampshire doing the bulk of the work. We'll work with OMB to make sure what exactly a requirement clause would say that makes these requirements imperative in the acquisition process.

InformationWeek: What's going to be your role in taking what was developed in the 60-day federal cybersecurity review and implementing it? I wanted to drill down into one area where there's a lot of work to be done in standardization, which is identity management.

Furlani: In the big picture, portions of the Comprehensive National Cybersecurity Initiative were focused on the research direction. Another piece we bring in is the whole understanding of standards and their development and the recognition internationally. IT is global, so if you're talking about DNSSEC or Internet connectivity or use, building the standards internationally, understanding those standards, and bringing that back into the community is important.

In identity management, it's not just the context of IT management. I need to understand you are you, but I also need to understand if the computer is yours or it's somebody else's. Being 'you' may mean something entirely different in your work life and your private life. Bridging these trust models, some kind of federated credentialing, understanding scalability issues. Role-based access comes into play. There's a lot of research there, and there's also a lot of moving the standards forward.