Simplicity can be a great defense when it comes to government technology systems. That’s what The National Institute of Standards and Technology’s senior fellow Ron Ross argued at a forum Wednesday about lowering the cost of government through technology.
NIST is publishing several documents to help agencies keep things simple, including risk assessment guidelines due out late next month, an updated catalog of cybersecurity threats later this fall and a systems and security guideline publication early next year.
Ross said government IT systems have become more vulnerable to cyber threats as they have become more complex. He spoke before industry and agency members at the conference, which was sponsored by the media company FedScoop.
Agencies should make security decisions based on risk because they cannot guard against every complexity, Ross said. He added that simplifying and standardizing systems can make security much easier for less money.
To do that, he said, agencies need to take a step back and look at how their technology can help them complete their missions, rather than trying to retrofit old technology for new purposes.
He called it “enterprise architecture on steroids.” NIST’s systems and security guidelines will help agencies take this approach to their systems, but he gave a small preview at the forum.
“Through things like cloud computing and data center consolidation, reducing complexity will give us opportunities to understand how we can deploy our safeguards and countermeasures in the best way possible,” Ross said.
In the meantime, the draft risk assessment guide to be released next month should help agencies make everyday decisions on evaluating and reacting to threats. Ross said agencies trying to save money can use it to target their resources to their needs.
“We only deploy controls where we see a threat, we have a vulnerability, and there’s the possibility or likelihood that that threat could actually exploit the vulnerability to bring down a critical mission or impede your operations in some way,” said Ross. “That’s working smart, as opposed to just working with one-size-fits-all.”
The updated security control catalog will emphasize that people, as well as technology, present threats. It will include a section on insider threats, inspired by the 2010 scandal that leaked thousands of documents to the website Wikileaks. Ross said the catalog also will include information on supply chain threats; the computer worm Stuxnet, which targeted Iranian nuclear facilities; and an appendix on privacy controls.