It's been an ongoing theme since I left federal employment for the cyber security industry -- defining the proper place of federal initiatives in my employers' overall company goals and objectives. Of course in my role as the federal advocate, I'm always looking for more investment in what my government customers need.
Some companies are heavily focused on the government sector, quick to respond to each new Federal initiative, standard, regulation or certification. Sometimes this pays off; sometimes, it's a rabbit trail. Other companies have a broad customer base, and constantly have to weigh investment in uniquely federal requirements - whether its FIPS standards, 508 compliance, PIV, SCAP validation, Cyberscope compliance - against the competing demands of their commercial customers for specific improvements in product features.
I've been in both places. Both have their challenges. But I have to say that it seems to me that having a broad customer base (federal, financial, health care, energy, retail...) leads to a result that is ultimately better for *everyone* than trying to focus on the needs of just the feds - even from my perspective advocating for Federal customers. Value flows both ways.
An emerging example of federal initiatives bringing value to our commercial customers seems to be developing with SCAP. We are definitely seeing private companies start to take an interest in the power and flexibility that are afforded when a broad segment of security companies start to speak the same underlying language.
Another interesting example - with the value flowing the other direction --has emerged with File Integrity Monitoring. File Integrity Monitoring has been a key part of nCircle's offerings for four years, as we addressed the needs of retailers and card processors rushing to comply with the PCI Data Security Standard. File integrity monitoring is a critical component of assuring appropriate protections for sensitive credit card information - but it was a discipline that had not been widely understood or adopted in the Federal space.
That changed with the release in 2009 of NIST SP 800-53 rev 3. Agencies are starting to grasp the implications of some of the new requirements, summarized below - and now we're hearing from our Federal customers across the spectrum looking for help meeting these new objectives. Fortunately, we already can offer a solution - courtesy of our engagement with the commercial retail market.
NIST File Integrity Monitoring Requirements
| CP-9 | Information System Backup | The organization conducts backups of user- and system-level information and protects the confidentiality and integrity of the backup information. |
| SI-4 | Information System Monitoring | Deploy file-integrity monitoring software to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly. |
| SI-7 | Software and Information Integrity | The information system detects unauthorized changes to software and information. |
I'm happy to say that the current administration seems committed to leveraging the value of commercial engagement. At a TechAmerica Homeland Security Committee meeting this week, guest speaker Bruce McConnell of DHS reiterated that DHS, at least, continues to see the value in a strong commercial strategy -- using relationships and market drivers to get the cybersecurity innovation that is needed, not special buying requirements or "milspecs."
If you like, you can check out a short video about nCircle File Integrity Monitoring solution here.
