Cyber Security Policy Chart (via Wired:Danger Room)
There’s 193 different documents that make up the trusted GIG platform. Their documentation is so large that when you actually chart it out, it’s over 2 feet long. And you wonder WHY things are so slow within the government, or why it’s so hard to get something done…
Now, don’t get me wrong, there’s a lot of planning and preparation that goes into security. It’s a fairly complex process as it is. But when you add in government beauracracy, top it off with government politics and compliance policies, you just end up with some kind of monster. I understand the need for it, I understand the need to want to standardize things. But come on. There’s GOT to be a better way of doing this. Level things out, and make things less complicated than they have to be.
Yes, there are different levels of security that must be taken. Yes, there are different processes that must be maintained, but come on! Let’s take all of the certification and accreditation processes and put them under the same document. Section it off in that one document so that you don’t have to carry around a library when you’re trying to get something done!!!
That being said, I could just be full of bunk. But I’m sure I’m not the only one that thinks this is too much documentation and policies. There’s got to be someone on the inside that feels the same way.
Developed by the DASD CIIA (that’s the Deputy Assistant Secretary of Defense for Cyber, Identity & Information Assurance), the goal of the chart is to “capture the tremendous breadth of applicable policies, some of which many IA practitioners may not even be aware, in a helpful organizational scheme.”
And what a breadth it is: dozens and dozens of directives, strategies, policies, memos, regulations, strategies, white papers and instructions, from “CNSSD-901: National Security Telecommunications and Information Security Systems Issuance System to “CNSSP-10: National Policy Governing Use of Approved Security Containers in Information System Security Applications to SP 800-37 R1: Guide for Applying the Risk Management Framework to Federal Information Systems.