Overview[]
The Joint Task Force Transformation Initiative Interagency Working Group was formed in April 2009 with representatives from NIST, DOD, and ODNI to produce a unified information security framework for the federal government. Instead of having parallel publications for national security systems and non-national security systems for risk management and systems security, the intent is to have common publications to the maximum extent possible. Harmonized security guidance is expected to result in less duplication of effort, lower maintenance costs, and more effective implementation of controls across multiple interconnected systems. In addition, the harmonized guidance should make it simpler and more cost-effective for vendors and contractors to supply security products and services to the federal government.
As illustrated below, key areas targeted for the common guidance include risk management, security categorization, security controls, security assessment procedures, and the security authorization process contained in the NIST risk management framework. NIST develops standards and guidance for non-national security systems, including most systems in civilian agencies. CNSS provides policy, directives, and instructions binding upon all U.S. government departments and agencies for national security systems, including systems in the intelligence community and DOD (e.g., classified systems). Since NIST does not have authority over national security systems, CNSS issuances authorize the use of the harmonized NIST guidance developed by the joint task force. As necessary, CNSS also develops additional information security requirements to accommodate the unique nature of national security systems. Finally, individual agencies may create their own specific implementing guidance.
The joint task force has published three of five planned publications containing harmonized information security guidance and is actively developing the final two publications. These include a new publication as well as revisions to existing NIST guidance, as summarized in the table below. In addition, the task force is considering collaboration on two additional publications.
NIST currently leads the working group and the task force publication development process. Working group members are selected for each publication from participating agencies and support contractors to provide subject matter expertise and administrative support. In addition, the task force is guided by a senior leadership team from NIST, CNSS, DOD, and ODNI that reviews and approves the harmonized publications.
Historical background[]
The task force arose out of prior efforts to harmonize security guidance among national security systems. In 2006, the ODNI and DOD CIOs began an initiative to harmonize the two organizations’ certification and accreditation guidance and processes for IT systems. For example, in July 2006, DOD and the intelligence community established a Unified Cross Domain Management Office to address duplication and uncoordinated security activities and improve the security posture of the agencies’ highest-risk security devices. In January 2007, the DOD and ODNI CIOs published seven certification and accreditation transformation goals that included development of common security controls. According to DOD, by July 2008, DOD and the intelligence community were working on six documents that mirrored similar NIST risk management and information security publications. In August 2008, the CIOs signed an agreement adopting common guidelines to streamline and build reciprocity into the certification and accreditation process.
As this effort progressed, the agencies involved determined that it would benefit from closer engagement with NIST and the development of common security guidance. NIST had been informally involved in the harmonization effort for several years, but, according to CNSS, DOD, and ODNI, during the CNSS annual conference in the spring of 2009, the CNSS community decided to more actively engage NIST and agree to use NIST documents as the basis for information security controls and risk management. The committee also agreed to complete policies and instructions to support use of the NIST publications. Following the conference, a memo from the Acting CIO for the intelligence community stated that the intelligence community intended to follow CNSS guidance that pointed to related NIST publications.