DoD's embrace of NIST security standards is not the radical shift it might appear to be, says DoD CIO Teri Takai. (Mike Morones/Staff)
The Defense Department has historically gone its own way on security matters, but now the Pentagon is looking to government-wide IT security standards to make compliance simpler.
DoD officially adopted IT security standards that the National Institute of Standards and Technology set forth for government. That change in policy leaves behind the longstanding, military-specific DoD Information Assurance Certification and Accreditation Process in favor of NIST’s risk-management framework. The move includes the Pentagon’s republishing and reissue of its 8500 and 8510 instructions for IT security standards to reflect the changes.
“While in fact this may seem like a dramatic shift, we don’t see it so much as a dramatic shift as an evolution of where we want to go,” said Teri Takai, DoD CIO, speaking April 2 at Intel’s Security Through Innovation Summit in Washington. “We’re very committed to the adoption of the NIST standards. Our intent was to not have a situation where you have to comply with…a set of NIST standards that are different from DoD standards.”
The changes aren’t limited to NIST’s risk-management framework and related approaches. At DoD the focus on IT security standardization centers on the department’s move to the Joint Information Enterprise, and will extend from the earliest requirements and acquisition processes to technology deployed to the tactical edge.
“We’re working very closely with [DoD acquisition, technology and logistics] around the way that we’re going to go into major procurements of information technology in the future, whether that’s the services, very large applications or systems,” Takai said, using DoD’s forthcoming integrated electronic health records program as an example. “We have a number of [requests for proposals] out on the iEHR that we’re working on – those will all be built on a premise of JIE, which will be different from the way we put those out in the past where in each individual program the RFP…has been a build-out of the infrastructure for that program. In the future that will all be built on the assumption that whatever we build will be built on JIE.”
With budgets tight at the Pentagon, the moves to JIE and cross-government standardization writ large is one way to wring out efficiencies and stretch funding. But that’s secondary to the main objective of securing and defending DoD networks and data, Takai said.
“The way that we’re configured and constructed today…is enormously difficult for [U.S. Cyber Command] to actually do their job, to actually be able to see into the networks, understand what is in all of the networks and actually be able to defend those networks,” Takai said. “You get to the point where the complexity of what we have and the way we’re architected just really is an inhibitor to that. That’s not say the intent behind our architecture was bad; it’s just that it’s an architecture that’s grown up over time, is big and is very decentralized.”
John Gilligan: Assessing the NIST cyber framework