Joint Task Force Transformation Initiative Interagency Working Group

Overview
A Joint Task Force Transformation Initiative Interagency Working Group was formed in April 2009 with representatives from NIST, DOD, and ODNI to produce a unified information security framework for the federal government. Instead of having parallel publications for national security systems and non-national security systems for risk management and systems security, the intent is to have common publications to the maximum extent possible. Harmonized security guidance is expected to result in less duplication of effort, lower maintenance costs, and more effective implementation of controls across multiple interconnected systems. In addition, the harmonized guidance should make it simpler and more cost-effective for vendors and contractors to supply security products and services to the federal government.

The task force arose out of prior efforts to harmonize security guidance among national security systems. In 2006, the ODNI and DOD CIOs began an initiative to harmonize the two organizations’ certification and accreditation guidance and processes for IT systems. For example, in July 2006, DOD and the intelligence community established a Unified Cross Domain Management Office to address duplication and uncoordinated security activities and improve the security posture of the agencies’ highest-risk security devices. In January 2007, the DOD and ODNI CIOs published seven certification and accreditation transformation goals that included development of common security controls. According to DOD, by July 2008, DOD and the intelligence community were working on six documents that mirrored similar NIST risk management and information security publications. In August 2008, the CIOs signed an agreement adopting common guidelines to streamline and build reciprocity into the certification and accreditation process.

As this effort progressed, the agencies involved determined that it would benefit from closer engagement with NIST and the development of common security guidance. NIST had been informally involved in the harmonization effort for several years, but, according to CNSS, DOD, and ODNI, during the CNSS annual conference in the spring of 2009, the CNSS community decided to more actively engage NIST and agree to use NIST documents as the basis for information security controls and risk management. The committee also agreed to complete policies and instructions to support use of the NIST publications. Following the conference, a memo from the Acting CIO for the intelligence community stated that the intelligence community intended to follow CNSS guidance that pointed to related NIST publications.

NIST currently leads the working group and the task force publication development process. Working group members are selected for each publication from participating agencies and support contractors to provide subject matter expertise and administrative support. In addition, the task force is guided by a senior leadership team from NIST, CNSS, DOD, and ODNI that reviews and approves the harmonized publications.