The Obama administration is releasing details of its approach to facilitating better sharing of national security information between agencies and authorized parties.
The president on Dec. 19 released the National Strategy for Information Sharing and Safeguarding (NSISS), which is meant to provide guidance for developing policies, processes and standards to promote secure information sharing between government agencies and between the government and authorized individuals.
Information sharing has been at the center of the debate about cyber-security legislation, with some worrying that privacy rights will be trampled while others express concern that the sharing of threat information is often only one-way, with companies doing the sharing.
"At the end of the day, we have to understand that cyber-criminals are coordinating their efforts and are well-versed in sharing vulnerabilities and attack methodologies," said Torsten George, vice president of worldwide marketing, products and support for Agiliance, a risk management solutions vendor. "To counter them, government and the private sector must work hand-in-hand to quickly disseminate information about threats."
Though not specifically about the challenges the country is facing in cyberspace, the document notes that differences in policies and technologies prevent authorized users from gaining access to critical resources and information on disparate networks and creates barriers across agencies and departments. In addition, increased information sharing requires advanced correlation and analytic capabilities.
Efforts to address these issues are under way, according to the document.
"It is a national priority to efficiently, effectively, and appropriately share and safeguard information so any authorized individual … can prevent harm to the American people and protect national security," the document states. "The Strategy points toward a future in which information supports national security decisionmaking [sic] by providing the right information, at any time, to any authorized user, restricted only by law or policy, not technology; and where safeguarding measures, to include a comprehensive regimen of accountability, prevent the misuse of the information."
The strategy encompasses five overall goals: improving discovery and access through common standards; driving collective action collaboration and accountability; optimizing mission effectiveness through shared services and interoperability; strengthening information safeguarding through structural reform, policy and technical solutions; and protecting privacy and civil rights through consistency and compliance.
To accomplish those goals, the document lays out some of the actions the government needs to undertake. For example, to improve discovery and access through standards, the document recommends improving identity and authentication controls, as well as encouraging data-level tagging as a way to ensure data can be shared securely.
"Most information authorization models are limited to access controls defined and enforced at the network or application-level, rather than at the data-level using inherent characteristics of specific information resources," according to the document. "As networks are consolidated and shared services are adopted, access controls must be applied on the data itself, using ‘tags.’”
The document also lists the top five priorities of the Administration in regards to the strategy:
- aligning information sharing and safeguarding governance to foster better decision making, performance, accountability and implementation of the Strategy’s goals;
- developing guidelines for information sharing and safeguarding agreements to address common requirements, including privacy, civil rights and civil liberties, while still allowing flexibility to meet mission needs;
- adopting metadata standards to facilitate federated discovery, access, correlation, and monitoring across federal networks and security domains;
- extending and implementing the Federal Identity, Credential and Access Management (FICAM) road map across all security domains; and
- implementing removable media policies, processes and controls; providing timely audit capabilities of assets, vulnerabilities and threats; establishing programs, processes and techniques to deter, detect and disrupt insider threats; and sharing the management of risks to enhance unclassified and classified information safeguarding efforts.
"This Strategy makes it clear that the individual privacy, civil rights, and civil liberties of United States persons must be—and will be—protected," President Barack Obama wrote in the document's introduction. "Our national security depends on sharing the right information with the right people at the right time. We will therefore keep working to maintain an environment in which information is shared in a manner that is responsible, seamless, and secure."