EXOP - Office of Science and Technology Policy

Quit reinventing the "IT Security Policy" wheel !

I am an IT Security Engineer that has worked for numerous agencies within multiple different departments (DOD, DOS, DHS, Treasury, etc...). It seems to me that every agency insists on having their own IT Security Policy for sensitive but unclassified data even though I would estimate that about 90% of it is the same no matter what agency it is. (For example, how many people out there are required to use a "strong" password"? Yet every agency of every department within the federal government is required to have a policy telling you that a "strong password" is required.)


It seems to me that we could have a single group create an overarching policy that covers the entire federal government and then agencies would merely need to fill in the 10% that is unique to them. Better yet, establish a committee with representatives from each agency to develop a single policy that can apply to all sensitive but unclassified data across the entire government.


We already have NIST creating "guidance", which the entire federal government must comply with (for non-classified systems)...and we have FDCC guiding the technical configuration of workstations, so it doesn't seem like a far stretch to have one group create policy.


I believe this could save millions of dollars every year for many years because (1) new agencies wouldn't have to create all new policies; and (2) existing agencies wouldn't have to continue revisiting and updating their policies every year.



Idea No. 13112