This program can increase the security of computer systems, networks, and data. It will increase understanding of new security technologies and the security implications of new IT technologies. Specifically, the program can have the following impacts: - Eliminate duplication of efforts across Federal agencies and industry - By improving the understanding of new security technologies, increase and expedite the adoption of needed technologies, and reduce the adoption of unneeded technologies - Make the adopters of new IT technologies aware of their security implications so that security can be properly taken under consideration through the technologies a life cycles, which reduces the impact that deploying new technologies will have on organizations security postures. Specific examples of this have been in the wireless security area where NIST advice significantly and demonstrably influenced the relevant security vendors and standards groups.
Security is becoming increasingly complicated and difficult both on technical grounds and on policy grounds. Technically, Federal agencies and other have to secure an ever-increasing variety of computing devices, media, data, applications, and networks in highly mobile and dynamic environments. The threats against computing resources are rapidly changing as well, largely because current attackers are generally seeking financial gain; many current attackers use highly sophisticated attacks against specific targets or physically steal mobile devices and media to gain access to their data. Existing security practices are often not effective at stopping these attacks. On policy grounds, CIOs in the private and public sector are confronted with a bewildering array of policy imperatives (safeguard privacy information, report breaches of security, prevent peer-to-peer software use, comply with many regulatory regimes, etc.) with static budgets. New security technologies are constantly emerging to counteract new threats and protect new IT technologies, but these new security technologies are usually piecemeal solutions. This creates even more security components for organizations to consider implementing. Each organization needs to learn about and understand the new component; determine how helpful it would be and how it would integrate with the existing security architecture and operations; and then integrate a selected component into the security architecture and manage it effectively. Organizations often do not have reliable, neutral sources of information to help them perform these steps.