NIST Lab Director Tackles Cybersecurity, Cloud Computing - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud // Software as a Service
04:44 PM
Connect Directly

NIST Lab Director Tackles Cybersecurity, Cloud Computing

Cita Furlani explains the nuts-and-bolts work of defining key government IT standards and the job of working with federal agencies on adoption and implementation.

The National Institute of Standards and Technology's IT Laboratory plays a key role in government cybersecurity, setting standards that federal agencies are required to follow. InformationWeek discussed NIST's role, including the fine line between setting standards and setting policy, with Cita Furlani, director of NIST's IT Lab.

InformationWeek: How would you describe NIST's cybersecurity role, and how NIST influences what federal CIOs and IT professionals implement?

Furlani: We have the mandate from Congress under the Federal Information Systems Management Act that we develop standards, and once they become a Federal Information Processing Standard, agencies have the requirement of actually using the standards. Mostly we limit our FIPS development to very core technologies. The encryption modules and the Personal Identity Verification standards are the most recent, the most visible at least. Most of the rest of what we do is really considered guidelines; it's not mandated.

InformationWeek: How do you work with the federal IT crowd? They must say, 'How do we actually implement this stuff?' Do you get peppered with a lot of questions?

Furlani: Oh yes. We have a large outreach effort. The staff is out with these research activities, they're out with CIO Council. We publish everything first as a draft publication for public comment from government agencies as well as anybody else. Sometimes some of that is put out for a second draft when you get enough comments back. When we are publishing FIPS, we make available every public comment and every response to a public comment.

InformationWeek: When a FIPS document goes out, after the FIPS 140-2 encryption standard got released, for example, a slew of vendors say, 'Our USB key is encrypted to 140-2 compliance.'

Furlani: We have a certification program in place under our sister laboratory, the Technology and Services Laboratory, the National Voluntary and Accredited Laboratory Program. There are accredited labs that certify whether a particular piece of software meets the crypto requirements, and then those are published on our Web site.

InformationWeek: What about recommended actions? You've recently put out a final document called Special Document 800-53 for recommended security controls for federal information systems, for example.

Furlani: The way 800-53 is designed, you need to understand what level of risk you are taking before you understand what level of controls you're going to implement. It's like locking your house. You can lock everything down with double locks and everything else if there's something in some room you really want to protect, but typically because you want to go in and out more easily, you don't protect your house at the level you could. What we've tried to do is give system managers that trade-off for understanding what mechanisms to use. If you've got a low risk system, you can choose from among this set, if you've got a high risk system, you can chose among an additional set.

InformationWeek: Why is 800-53 an important publication?

Furlani: Primarily because it's so needed to understand why you're making these decisions. Another incredibly important part is that we do not have a mandate for the intelligence community, but they are engaged and helped define what the goals are, as well as the Department of Defense. So really for the first time, we have a baseline set of controls across the entire federal sweep of agencies, by voluntarily agreeing what those should be.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
1 of 2
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

11 Things IT Professionals Wish They Knew Earlier in Their Careers
Lisa Morgan, Freelance Writer,  4/6/2021
Time to Shift Your Job Search Out of Neutral
Jessica Davis, Senior Editor, Enterprise Apps,  3/31/2021
Does Identity Hinder Hybrid-Cloud and Multi-Cloud Adoption?
Joao-Pierre S. Ruth, Senior Writer,  4/1/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Successful Strategies for Digital Transformation
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll