One Catalog to Rule Them All

Posted September 11th, 2007 by

Interesting article at Federal Computer Week that hints at a unified catalog of controls (read: SP 800-53, DoDI 8500.2, and DCID 6/3 combined into a huge one) that applies to all federal IT systems.  It’s coming, the big question is “how many years until it’s done?”

I know you guys know me well enough by now to reason that I’m going to tell you why we care.  And you’re right.

Well, one of the reasons where FISMA is failing (at least according to some people, my opinion differs) is that we have a shortage of people who have the necessary training and skills.  What a unified catalog of controls means is that we now have something that is standardized across the board so that I can take an IA practitioner from the DoD side, put them into a civilian agency, and have a reasonable expectation that they will succeed there.  In other words, I’ve decreased the switch costs for personnel transfers.  I’ve also made it easier for agencies to share data with each other (conspiracy buffs here can think things about Census data feeding the Total Information Awareness program and corroborated against your classified file) and to support each other as vendors under Lines of Business, which the government needs desperately.

The one downside is that I can see is that if you have a catalog of controls that runs the entire range from low-criticality to TS-plus, the tendency will be for every ISSO out there to build more controls than they actually need.  But we have that today, only not as severe.

Similar Posts:

Posted in FISMA, NIST | 3 Comments »

3 Responses

  1.  Larry Kilgallen Says:

    While DoD 8500.2 was there first, NIST 800-53 has provided a more comprehensive set of controls for general use. Adding DoD (and DCID, etc.) specialized controls covering classification issues to the 800-53 taxonomy will provide the most rational organization for the resulting document. And it will be a good thing for those charged with securing sensitive but unclassified personal information about individuals get a good look at techniques used to secure classified information..

  2.  Current Government Security Initiatives | The Guerilla CISO Says:

    […] Combined Catalog of Controls:  Superseding DoDI 8500.2 (DoD catalog of controls) and DCID 6/3 (intelligence community catalog of controls) with a reinforced SP 800-53.  Process flow would be along SP 800-37.  I’ve talked about this before. […]

  3.  System Advancements at the Monastery » Blog Archive » Intense Simplicities Says:

    […] LLP, makes the following important point about the unified catalog of controls in his post, “One Catalog to Rule Them All“: What a unified catalog of controls means is that we now have something that is standardized […]

Leave a Comment

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.

Visitor Geolocationing Widget: