Air Force New Media Guide, Circular A-130, consulting, DHS, DISA, DOD, expectations, facebook, Federal CIO Council, federal guidelines, FISMA, fraud, fraudster, fraudsters, government, IASE, internal politics, NIST, phishing, policy, project management, risk, roi, Security, service level agreements, Social Software and National Security, software development, twitter, user requirements
Part III: Fed Guidelines for Social Media Review
In my previous post, we had reviewed the rationale behind the Federal CIO Council release of secure social media usage guidelines. This was primarily tied back to President Obama’s memorandum on Transparency and Open Government and the growing popularity of social media (Web 2.0) in the workplace. We also touched on the lack of concrete implementation advice by the guidelines for social media within the document.
The guidelines abruptly switch over to outlining the current use of social media within government. But not before mentioning two researchers at the National Defense University, Dr. Mark Drepeau and Dr. Linton Wells. They are quoted as to the government’s definition of social media and the four specific types of uses within the Federal Government. What is more interesting is that these gentlemen wrote a research paper for the Feds that is a large component for the Social Media Guidelines. The name of the document is Social Software and National Security: An Initial Net Assessment. I highly recommend those individuals that are charged with the responsibility or implementation of social media within their agency read that document. It is highly informative and has copious footnotes to other research that will provide a better view of the social media landscape with the Federal Government and abroad. Also, it has been my experience that these footnoted sources can then be used as supportive documentation when an agency’s own policy is crafted, since they have been used in other official guidelines.
The guidelines discuss at length the direction of sharing and level of interaction in the governmental social media milieu. Basically it boils down to sharing content within governmental agencies and with non-governmental organizations and how the risk profile changes. For interdepartmental sharing within an agency the Federal Information Security Management Act (FISMA) rules apply. Once an agency crosses over into social media interactions with other agencies and non-governmental organizations, the guidance gets diluted. The guidelines point to five government agencies, none of which are the definitive resource for social media implementations. The five referred to are National Institute of Standards and Technology (NIST), Department of Defense (DOD), Office of Management and Budget (OMB), Government Accountability Office (GAO) and the Department of Homeland Security (DHS).
NIST has scores of documents, none definitively linked to social media and the policies that should surround it. I would recommend starting with the Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) and the Guide for Developing Security Plans for Federal Information Systems. There are others that apply tangentially, but these two should be the starting point in my view.
The DOD has a well organized page for security policies regarding web applications . However, I would start with the Policy for Department of Defense Internet Interactive Activities memorandum. The document is from 2007, so it’s applicability to social media is dubious. The document does refer to the creation of a “Best Practices for Internet Interactive Activities” by USSOCOM in the near future. I was unable to find this document during my research for this article however, so I assume it is still being developed in the bowels of the government. On a brighter note, the DOD has an interesting Social Media Hub that should provide actual implementation data and humans to contact.
OMB offers ye olde Circular A-130 as its entry in the information security arena. Last updated in November of 2000, it should come with tips on the revulcanization of the tyres for your Model T. It’s good to be familiar with this document however since it will obviously be around for a long time to come.
The GAO has adopted FISMA as its internal standard. Since the GAO audits federal agencies for their compliance to federal guidelines, it is interesting to note how agencies are fairing in their efforts to become more secure. These audit finding are valuable intelligence that will assist in closing any gaps an agency could have, so you don’t end up in the same reports.
The DHS National Cyber Security Division has a interesting link that drops you into an application security site called Build Security In. The site is similar NIST in regards to the large amount of security related articles to review. For a shortcut, take a look at the Ten Most Recently Modified Articles section for the latest.
The Federal CIO Council lists as its last and latest example of guidelines for Social Media as published by U.S. Air Force. The US Air Force New Media Guide (2009) is an excellent document that is short, concise and provides valuable guidance on social media implementations. A must read for any organization that is considering a foray into the Web 2.0 sphere.
On a side note, while researching this article, I came across the Information Assurance Support Environment, an entity sponsored by the Defense Information Systems Agency. It is a clearinghouse for all things IT within the government umbrella. The site is overwhelming at first, due to the vast amounts of data that is presented. I would recommend that you start here for simplicity sake. This site puts the herculean task that is faced by many CISO’s and CIO’s in a stark light when it comes to following the appropriate security policies for their federal agencies. This overt display of absurd policy complexity show why the black hats will continue to gain ground on their targets. They do not operate in a blizzard of paperwork and it behooves the security community to demand the same. That is a topic for another day however.
In my next article on the Federal Social Media Guidelines, we will look at the various types of security threats that are enhanced with Social Media and mentioned in the document. Also, I will review the recommendations of the CIO Council in how to combat them and provide additional sources of information.