The National Institute of Standards and Technology (NIST) has recently begun to draft documentation on how to incorporate an across-the-board security standard for all organizations that are considered to be part of the country’s critical infrastructure, adding yet another layer to an already convoluted process. The goal is to gain buy-in from both the private and public sector as to what process would work best as a type of blanket framework for every different type of organization. Although the NIST framework, and how it is implemented, are both in need of repair, the way NIST is going about this seems to add frustration instead of solving any problems.
The current NIST standards for federal information systems use a multitude of documents that are all hundreds of pages in length. Add that to the fact that a fairly high percentage of the people that carry out the security tasks for their organization are not security professionals, but rather system administrators or engineers, and you get an already broken process being smashed into smaller pieces.
Rarely have I seen an environment where there are adequately trained security professionals who actually know how the current NIST framework operates. Organizations can’t seem to afford or find the security experts to implement these processes, but somehow the federal government can spend millions of dollars to have committees upon committees talk about how they will add to the workload of the already drowning employees.
What needs to happen is for NIST tocondense the current process and make it more efficient. When you look at other security standards, you see much more efficient processes with much less required reading. For example, the current Payment Card Industry (PCI) Data Security Standard (DSS), which is used to verify that organizations that process any type of payment card information are secure, is only 75 pages and includes both requirements and assessment procedures, while NIST SP 800-53Recommended Security Controls for Federal Information Systems and Organizations and NIST SP 800-53A Guide for Assessing the Security Controls in Federal Information Systems and Organizations together are over 600 pages.
I believe the best way to make these documents and processes more efficient is to have an independent (non-government) organization develop new standards, with NIST having oversight only into the development process. This would allow for security experts who have seen what does or doesn’t work to craft efficient policies and procedures that are actually usable, which would allow for easier implementation and ultimately a more SecureState.