Skip to Highlights
Highlights

Historically, civilian and national security-related information technology (IT) systems have been governed by different information security policies and guidance. Specifically, the Office of Management and Budget and the Department of Commerce's National Institute of Standards and Technology (NIST) established policies and guidance for civilian non-national security systems, while other organizations, including the Committee on National Security Systems (CNSS), the Department of Defense (DOD), and the U.S. intelligence community, have developed policies and guidance for national security systems. GAO was asked to assess the progress of federal efforts to harmonize policies and guidance for these two types of systems. To do this, GAO reviewed program plans and schedules, analyzed policies and guidance, assessed program efforts against key practices for cross-agency collaboration, and interviewed officials responsible for this effort.

Skip to Recommendations

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of Commerce 1. To assist the joint task force in continuing its efforts to establish harmonized guidance and policies for national security systems and non-national security systems, the Secretary of Commerce should direct the Director of NIST to collaborate with CNSS to complete plans to identify future areas for harmonization efforts.
Closed - Implemented
Through the Joint Task Force Transformation Initiative Working Group, the National Institute of Standards and Technology (NIST), in collaboration with the Committee on National Security systems (CNSS), the Department of Defense (DOD), and the Office of the Director of National Intelligence (ODNI), developed a work plan to create unified information security standards and guidelines. The March 2014 work plan identifies special publications that the task force will revise during the year. For example, according to the work plan, the Task Force will collaborate to revise Special Publication 800-18, Guide for Developing Security Plans for Federal Information Systems, by March 2015, among other information security-related special publications to be revised and finalized. The Task Force's standard operating procedures direct its members to meet annually to determine a mutually agreed upon work plan for the development of common information security standards and guidelines.
Department of Commerce 2. To assist the joint task force in continuing its efforts to establish harmonized guidance and policies for national security systems and non-national security systems, the Secretary of Commerce should direct the Director of NIST to collaborate with CNSS to consider how implementing elements of key collaborative practices, such as documenting roles and responsibilities, needs, resources, and monitoring and reporting mechanisms, may serve to sustain and enhance the harmonization effort.
Closed - Implemented
NIST, in collaboration with CNSS, developed standard operating procedures for the Joint Task Force Transformation Initiative Working Group that define elements of the collaborative process to harmonize national and non-national security systems guidance and policies. The procedures document the roles and responsibilities for task force members such as developing an annual work plan for the development of common information security standards and guidelines. The procedures also direct members to contribute resources to support the development process. Further, the procedures direct task force leadership, in collaboration with its partners, to develop a milestone schedule, a publication review and approval process, and an update and maintenance process for the guidance developed.
Department of Defense 3. To assist the joint task force in continuing its efforts to establish harmonized guidance and policies for national security systems and non-national security systems, the Secretary of Defense should direct CNSS to collaborate with NIST to complete plans to identify future areas for harmonization efforts.
Closed - Implemented
The Joint Task Force Transformation Initiative Working Group, a collaboration between the Committee on National Security systems (CNSS), the National Institute of Standards and Technology (NIST), the Department of Defense (DOD) and Office of the Director of National Intelligence, developed a work plan to create unified information security standards and guidelines. The March 2014 work plan identifies special publications that the task force will revise during the year. For example, according to the work plan, the Task Force will collaborate to revise Special Publication 800-18, Guide for Developing Security Plans for Federal Information Systems, by March 2015, among other information security-related special publications to be revised and finalized. The Task Force's standard operating procedures direct Task Force members to meet annually to determine a mutually agreed upon work plan for the development of common information security standards and guidelines.
Department of Defense 4. To assist the joint task force in continuing its efforts to establish harmonized guidance and policies for national security systems and non-national security systems, the Secretary of Defense should direct CNSS to collaborate with its member organizations, including both DOD and the intelligence community, to include milestones and performance measures in their plans to implement the harmonized CNSS policies and guidance.
Closed - Implemented
In the Joint Task Force Transformation Initiative Working Group's March 2014 annual work plan, the task force identified for revision three NIST special publications addressing information security. While the work plan did not include specific performance metrics, it provided timeframes for revising and releasing the updated guidance. For example, according to the work plan, the task force will collaborate to revise Special Publication 800-18, Guide for Developing Security Plans for Federal Information Systems, by March 2015. The task force work plan also identified SP 800-53A, Assessing Security and Privacy Controls in Federal Information Systems and Organizations, and SP 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories, for revision and release in final form in August 2014 and January 2015, respectively. SP 800-53A remains in draft.
Department of Defense 5. To assist the joint task force in continuing its efforts to establish harmonized guidance and policies for national security systems and non-national security systems, the Secretary of Defense should direct CNSS to collaborate with NIST to consider how implementing elements of key collaborative practices, such as documenting roles and responsibilities, needs, resources, and monitoring and reporting mechanisms, may serve to sustain and enhance the harmonization effort.
Closed - Implemented
CNSS collaborated with NIST to jointly develop standard operating procedures for the Joint Task Force Transformation Initiative Working Group that define elements of the collaborative process to harmonize national and non-national security systems guidance and policies. The procedures document the roles and responsibilities for task force members such as developing an annual work plan for the development of common information security standards and guidelines. The procedures also direct members to contribute resources to support the development process. Further, the procedures direct task force leadership, in collaboration with its partners, to develop a milestone schedule, a publication review and approval process, and an update and maintenance process for the guidance developed.

Full Report

GAO Contacts