NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > InfoSec News> 2007-q1

[ISN] ODNI, DOD release IT security standardization policies

From: InfoSec News (alertsinfosecnews.org)
Date: Wed Mar 28 2007 - 03:01:56 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://www.gcn.com/online/vol1_no1/43373-1.html

By Jason Miller
03/27/07

The Office of the National Director of National Intelligence (ONDI) and
the Defense Department today released the seven areas of certification
and accreditation for information technology systems that they will
standardize.

The next step is a group of small implementation teams that will begin
developing the how the agencies will use these new policies, said Dale
Meyerrose, ODNIs chief information officer and associate director of
national intelligence. He was speaking at the FOSE trade show last week
in Washington. D.C.

Meyerrose announced four of the seven areas during his speech at FOSE,
and today ODNI and DOD made public the other three areas.

DOD and ODNI will:

* Define a common set of trust levels so both departments share
  information and connect systems more easily.

* Adopt reciprocity agreements to reduce systems development and
  approval time.

* Define common security controls using the National Institute of
  Standards and Technologys Special Publication 800-53 as a starting
  point.

* Agree to common definitions and an understanding of security terms,
  starting with the Committee on National Security Systems 4009 glossary
  as a baseline.

* Implement a senior risk executive function to base an enterprise view
  of all factors, including mission, IT, budget and security.

* Operate IT security within the enterprise operational environments,
  enabling situational awareness and command and control.

* Institute a common process to incorporate security engineering within
  life cycle processes.

We need to establish a community environment across security domains,
equipped with standard enterprise services and universal data access,
Meyerrose said in a statement.

DOD and ODNI started work on these standard areas eight months ago and
included the Office of Management and Budget and other agencies.
Meyerrose said the intelligence communities certification and
accreditation policy was more than 10 years old and when the departments
developed it, it took three years to write and four years to coordinate.

Many elements look on the surface as common sense things, Meyerrose said
at FOSE. But they are tearing down the walls to build up partnerships.

He added that because of this process more agency partners are coming
into the mix. Meyerrose said agencies such as the Homeland Security and
Justice departments are participating in the governance process.

While this does not solve all issues of information sharing, we did
raise the bar, he said. We need to get past quantity as the only measure
of success and progress, and get to quality of information shared.

_________________________________________
Visit the InfoSec News Security Bookstore
http://www.shopinfosecnews.org

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]