GovernmentExecutive.com

Return to Article: Cybersecurity chiefs keep a low profile

• 33976
  

  Where did the title (CISO) come from? FISMA labels this position as the Senior Agency Information Security Officer (SAISO).

  Cybersecurity is an outdated term that should reflect the overall protection of information such as Information Assurance (IA). IA places emphasis on all aspects necessary to the protection of an Information System (IS). These aspects were originally identified as safeguards such as Administration Security, Communication Security, Computer Security, Personnel Security, Physical Security, Procedural Security and Emmanation Security.

  Now that everyone is centering on Cybersecurity we are forgetting that in order to gain access to an IS we have omitted addressing Physical, and Personnel Security issues. Thus we now have the insertion of the HSPD-12 initiative.

  As for the Certification and Accreditation (C&A) of an IS. Talk about a rabid dog, for every federal agency you have a different C&A process to follow. How many C&A processes can you name: DITSCAP Instruction, DITSCAP application Manual, DIACAP (supposed to replace DITSCAP, but DITSCAP is needed for the Comprehensive Package), DCID 6/3, 6/3 Annotated, DODIIS, JDODIIS, NSTISSI 1000 NIACAP, NGA NIACAP, NISCAP, NIST SP 800-37, AFI 33-202, FAA SCAP, and a host of other variations; and let us not forget the new and upcoming DNI process that is being developed.

  A CISO is extremely challenged these days as the DAA/AO is nothing more than a figurehead without the proper authority to accredit an IS. This authority has been stripped from the position with implementation of the FIPS 199. The 199 provides a means of reducing the C&A process to a formaliting as controls are removed based on someone else's desire NOT to perform the necessary functions to protect an IS.

  Robert Edwards Posted September 28, 2007 6:45 AM