The National Security Agency is developing cybersecurity guidelines to apply to its own systems and ultimately to any government or contractor network, according to sources familiar with the effort.
A 38-member team is drawing up the guidelines, which will be based on a list of 20 cybersecurity controls developed two years ago by an independent panel of government and nongovernment experts.
NSA spokesmen would neither confirm nor deny the program's existence.
The original guidelines were designed to promote continuous network monitoring, but they were largely sidestepped by the Defense Department and contractors. Still, they generated intense debate in military security circles, leading to the NSA's current project.
"What you are seeing is while the 20 points were developed two years ago and a lot of things have languished publicly, there has been an effort to run these things," said retired Maj. Gen. Dale Meyerrose, a former chief information officer for the office of the Director of National Intelligence.
Meyerrose said that while he was familiar with the effort, he is not involved in it.
Knowledge of the NSA program emerges as the Pentagon evaluates its Defense Industrial Base Cyber Pilot, a test program in which more than a dozen volunteer contractors received DoD information about cybersecurity threats in exchange for information about attacks on their own corporate networks.
The pilot program was viewed as a potential model for improved cybersecurity in the contracting community, and experts say it has seen some success. But sources said participating companies have not been fully forthcoming about attacks, and much of the intelligence shared with the business by DoD was not new to the defense companies.
Still, the pilot could determine whether NSA officials decide that voluntary programs are unworkable and insist instead on mandatory compliance.
Meyerrose cited parallels between the pilot and the new guidelines.
"They are not unrelated, and I'm very confident that [NSA Director] Gen. [Keith] Alexander will draw off of that on things not to do and things to do," he said.
Alexander, who also runs U.S. Cyber Command, wants his program to be a "lead first" approach, according to a source with knowledge of the general's thinking.
"Right now, this is demonstrating what works," said the source. "They're doing it for themselves."
The NSA team aims to first apply the 20-point list internally and later encourage other agencies to follow.
Drawn up by a group led by former Air Force chief information officer John Gilligan, "Twenty Critical Security Controls for Effective Cyber Defense" was released in 2009 in part to move organizations from periodic paper reports, which failed to detect problems quickly enough, toward continuous security awareness.
Gilligan said he was surprised by DoD's delay in implementing the various points.
"I've asked myself, ‘Why is this taking so long?' It seems so obvious,'" he said.
NSA would not comment on that either. But Gilligan said NSA has been involved in these efforts for years.
"NSA was a major player in the origins of the controls," he said. "They probably won't say that publicly, but the analysis threat patterns originally came from the NSA."
NSA routinely tests defense network security and frequently penetrated networks Gilligan was responsible for protecting when he was with the Air Force.
"I said to the NSA, ‘You coming in every year and just pointing out that you can break in relatively easily is not helpful. You need to tell me how to prevent that,'" he said.
Three-quarters of the points in the document address continuous monitoring, while the remaining quarter deals with wider analysis of systems.
Some of the suggestions in the document have been used by government agencies. The State Department, for example, saw a 90 percent decline in attacks in the first year after converting to continuous monitoring, according to a Department of Homeland Security report. State's effort was headed by John Streufert, who will take over duties as the new director of the National Cyber Security Division at DHS this month.
But many of the ideas listed in the critical controls document have yet to be implemented by DoD or by defense contractors with access to classified information.
"We know that it's effective," said James Lewis, who was part of the group that developed the list of controls and is a cyber expert at the Center for Strategic and International Studies. "It will take another push to get people to move toward continuous monitoring."
Extending coverage and creating guidelines does, however, raise the question of what, if any, kind of control the government should have over companies' networks, a question that has not been fully addressed by the framework team yet.
"It is this age-old question of trying to figure out what role the military should have in cyberspace," Meyerrose said. "There are two sets of opposing good intentions. The first is that the best assets of the United States government ought to be available to the American people, in commerce and other things. And there's the other, where we don't want the military intruding into other areas beyond the dot-military domain."