September 15, 2010 - Historically, civilian and national security-related information technology (IT) systems have been governed by different information security policies and guidance. Specifically, the Office of Management and Budget and the Department of Commerce's National Institute of Standards and Technology (NIST) established policies and guidance for civilian non-national security systems, while other organizations, including the Committee on National Security Systems (CNSS), the Department of Defense (DOD), and the U.S. intelligence community, have developed policies and guidance for national security systems. GAO was asked to assess the progress of federal efforts to harmonize policies and guidance for these two types of systems. To do this, GAO reviewed program plans and schedules, analyzed policies and guidance, assessed program efforts against key practices for cross-agency collaboration, and interviewed officials responsible for this effort.

Federal agencies have made progress in harmonizing information security policies and guidance for national security and non-national security systems. Representatives from civilian, defense, and intelligence agencies established a joint task force in 2009, led by NIST and including senior leadership and subject matter experts from participating agencies, to publish common guidance for information systems security for national security and non-national security systems. The harmonized guidance is to consist of NIST guidance applicable to non-national security systems and authorized by CNSS, with possible modifications, for application to national security systems. This harmonized security guidance is expected to result in less duplication of effort and more effective implementation of controls across multiple interconnected systems. The task force has developed three initial publications. These publications, among other things, provide guidance for applying a risk management framework to federal systems, identify an updated catalog of security controls and guidelines, and update the existing security assessment guidelines for federal systems. CNSS has issued an instruction to begin implementing the newly developed guidance for national security systems. Two additional joint publications are scheduled for release by early 2011, with other publications under consideration. Differences remain between guidance for national security and non-national security systems in such areas as system categorization, selection of security controls, and program management controls.