The Role of Technical Standards in Computer Security from FISMA and NIST

Page content

Role of Technical Standards

If you are serious about information security you need to read NIST FISMA implementation guidelines. This document will let you see just how cryptic the government standards business can be. FISMA is the Federal Information Security Management Act. It has guidelines on information security for anyone dealing with the federal government. Those of us who have been in government policy jobs know about the FIPPUBS. They are the publications that NIST has produced on various computer topics. If you are looking for a topic in data processing chances are NIST has a FIPPUB for it.

The NTIS is also a publications group selling federal guidelines. They have information and publications that can be helpful to you. Then there is the NSA publication called the Orange Book part of the Rainbow Series on information classification systems. This is a must read for the computer security guru. Sometimes it seems there are a lot of government guidelines on computers so I did the natural thing and studied computer laws.

What I found was that when Congress makes a law they research all the laws in the other governments of the world first and see what they have done on it. Then they copy the best parts of that law. Did you know that British Trademarks law is almost 100 years older than American trademark law? Newer digital laws are not keeping up with the changes in technology. This is why congress has expert testimony on key issues like identity theft and other computer crimes. They are trying to catch up to the rapid rate of technological innovations.

NIST plays the same game. When I called them out on my comments on FISMA about it being too convoluted they merely shrugged and said “So what?” I thought I was helping them by telling them to simplify the language of the FISMA NIST standard 800-53. They basically told me I didn’t know what I was talking about. They are bound and determined to keep building a house of cards by using complex terms and language in the standard that refers to other FIP PUBs. In other words it is the old self reference technique that our college teachers told us was close to plagiarism. This mattered little to the folks at NIST who run things because they have a monopoly on the government computer standards process.

I think what makes technical standards effective is when normal people can pick them up and read them unencumbered by techno-speak. Anyone can pick up the ISO OSi model standard and get a good idea of what is says about data communications. The other ISO Quality standards are similarly simple to understand. IEEE standards are sometimes hard to understand but they too have a specific technical audience. When our government creates standards that can not be read it is just a plain crime. Try reading FIP PUB 800-53 if you are in doubt and see what I mean. It refers to other FIP PUBS that the reader may not know and makes basic mistakes of self reference.

OBM Circulars can also be cumbersome but they are readable to non-technicians. OMB A-130 describes Information Security in government systems and has been around a long time. Many analysts in the military and federal government computer sector have used this guidance in the past. It is a part of many CIO interview questions. IT links budgeting to information security and in Washington most of the government management is budget oriented not process oriented.

So the next time you are asked to analyze computer standards you need to be sure you are ready for boredom and relatively poor writing. None of the standards in this area would pass in my graduate program at Aspen University. They are so poor that you can reread them several times and still be in the dark. I suggest that NIST and others hire real writers to rewrite technical standards that the whole country is suppose to follow.