Jump to content
The Wifcon Forums and Blogs

Sign in to follow this  
Don Mansfield

What's wrong with this response?

Recommended Posts

Do you see anything wrong with the FAR Council's response to a question about the distinction between "safeguarding" and "information security"?

Quote

There is a basic distinction between ‘‘safeguarding’’ and ‘‘information security.’’ ‘‘Safeguarding’’ is a verb and expresses required action and purpose. The term ‘‘safeguarding’’ is common in Executive orders relating to information systems. Although safeguarding has some commonality with ‘‘information security’’ the focus of information security is narrower. Safeguarding the contractor’s information system will promote confidentiality and integrity of data, but is not specifically concerned with data availability.

Quoted from 81 FR 30442, 16 May 2016.

Share this post


Link to post
Share on other sites

I may be slow, but I don't understand the difference between "safeguarding" and "information security" after reading the answer. 

I gleaned that "safeguarding" is a verb and "information security" is not, and that they are trying to establish "information security" concerns data availability and "safeguarding" does not.  However, that sounds like information security is the narrower term, not the other way around.  Do you think there was a mix-up?

Share this post


Link to post
Share on other sites

​Safeguarding applies to the contractor information system, not to specific information within the system. Information security applies to only securing the information. Therefore, informational security is narrower than safeguarding. For example, you could secure information by encryption and redundancy You safeguard through authentication; securing information (methods identified previously); limiting network availability; hardware/software; or physical security. Information security is one aspect of safeguarding an information system.

The FAR Council got it right.

Share this post


Link to post
Share on other sites

I know that every specialty has its own jargon. But sometimes it helps to be reminded how terms are commonly used outside of one's narrow specialty.

"Information security, sometimes shortened to InfoSec, is the practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. It is a general term that can be used regardless of the form the data may take (e.g. electronic, physical)." - Wikipedia

"Safeguard" has many definitions. 15 U.S.C. Section 6801, commonly called "The Safeguards Rule," requires financial institutions to develop a written information security plan that describes how the company is prepared for, and plans to continue to protect clients’ nonpublic personal information. -- Wikipedia

Based on common language definitions, InfoSec is the general term and Safeguard is the more narrow term.

My point is, when rule-makers draft rules that twist commonly accepted meanings, or create subtle distinctions through use of jargon that even well-read practitioners have trouble discerning, then nobody should be surprised when contractors cannot figure out what is required and are noncompliant. Yes, we have to turn square corners but if we can't figure out where the corners are, it's difficult to make the turn.

Share this post


Link to post
Share on other sites

"Safeguarding" has to be taken in context with the entirety of the rule. Per the rule, "[t]he intended purpose of the rule is to provide basic safeguarding of covered contractor information systems" (ibid). Therefore, safeguarding in the comment response quoted by Don refers to safeguarding of a covered contractor information systems. The security of information (the data) on that system is a narrower scope than safeguarding of the entire information system (the hardware, software, components, network, environment, etc.).

Share this post


Link to post
Share on other sites
18 hours ago, Don Mansfield said:

Do you see anything wrong with the FAR Council's response to a question about the distinction between "safeguarding" and "information security"?

Don:

A point of order: Did the response in question literally come from the FAR Council, 41 U.S.C. §§ 1301 and 1302, or did it come jointly from the DAR Council and the Civilian Agency Acquisition Council? I cannot recall ever having seen any kind of public response to anything from the FAR Council.

Anyway, your question is obscure. What do you mean by "wrong"? Do you mean factually incorrect? Grammatically incorrect? Whatever you mean, the proper answer to it would be yes or no. Is that all that you want to know, whether I see anything "wrong"? Yes or no? Or do you want to know what if anything I think to be wrong with the response?

If you meant "wrong" in a broader sense, such as poorly worded, silly, vague, or ambiguous, do you literally mean "anything"? If so, then I might say that safeguarding could be a present participle and not a verb, depending on the usage context, which is not provided. Safeguarding might be a noun depending on context. Another thing wrong is that while the response suggests that the distinction lies in the ways in which the two terms are used in executive orders, it does not cite and provide examples. Another thing wrong is that the response asserts that there is a distinction between safeguarding and information security, but does not define either term.

I could go on. My complaint here is not about the councils' response, which is typical of the poor quality work done by the councils, but about your question, which is one the species of "mystery questions" that teachers ask students to prompt them to think, in reaction to which the students think that the question is dumb. Instead of prompting a response, it makes them wary of a trap. I didn't like mystery questions in junior high school, and I still don't like them.

My answer to your question is yes, I see something "wrong" with the councils' response.

Sorry to criticize in this way, but as you know, I'm lately into the topic of questions.

Share this post


Link to post
Share on other sites

Don's question was prompted by FAC 2005-88, Item III, "Basic Safeguarding of Contractor Information Systems," 81 Fed. Reg. 30439, 30442, May 16, 2015, which took effect on June 15.

Quote

Comment: One respondent requested clarification of "safeguarding." According to the respondent, the definition of "safeguarding" neither refers to nor incorporates the definition of "information security." The respondent questions whether the rule intends to distinguish between information security and safeguarding.

Response: There is a basic distinction between "safeguarding" and "information security." "Safeguarding" is a verb and expresses required action and purpose. The term "safeguarding" is common in Executive orders relating to information systems. Although safeguarding has some commonality with "information security" the focus of information security is narrower. Safeguarding the contractor's information system will promote confidentiality and integrity of data, but is not specifically concerned with data availability.

FAR 4.1901 now defines safeguarding as follows: "Safeguarding means measures or controls that are prescribed to protect information systems."

Thus, safeguarding, which the councils' response says is a verb, is defined as meaning "measures" and "controls," which are nouns, not verbs.

It seems to me that as a verb, safeguarding means keeping something safe or guarding something to keep it safe from something. It could have been defined as taking measures and exercising controls in order to protect information systems from unauthorized access and intrusion.

The councils' response is nonsensical, and the definition is silly. All in all, typically sloppy work by the Defense Acquisition Regulations Council and the Civilian Agency Acquisition Council. They should be embarrassed.

Share this post


Link to post
Share on other sites

The word "safeguard" is a verb when used to mean to make things safe. For example, "I safeguard information systems". The word "safeguarding", when used to refer to the activity of keeping things safe, is a noun. For example, in the sentence "Safeguarding is fun.", "safeguarding" is the subject noun. "Safeguarding" could also be used as an adjective, as in "This contract has a safeguarding requirement." This pattern can be seen in the entry for "swimming" at m-w.com 

The councils (Vern is right--not the FAR Council) use the word "safeguarding" as a noun in the title of the rule: "Basic Safeguarding of Contractor Information Systems". The adjective "basic" is used to describe the noun "safeguarding". They also use the word as an adjective (e.g., "safeguarding requirements"). They don't use the word in any other way.

Share this post


Link to post
Share on other sites

I was having a fun conversation with a co-worker about the newly issued proposed DFARS revisions on technical data rights -- all 100+ pages of it. We were discussing the following definition:

"Form, fit, and function data means technical data or computer software that describes the required overall physical, logical, configuration, mating, attachment, interface, functional, and performance characteristics (along with the qualification requirements, if applicable) of an item or process to the extent necessary to permit identification of physically or functionally equivalent items or processes. The term does not include computer software source code, or detailed manufacturing or process data."

Our first question was about the phrase "computer software" which appears multiple times in the proposed rule. Is there another type of software other than computer software?

Our second question was about the application of the phrase "form, fit, and function" to software. The rule-makers obviously went to great lengths to define what they think they mean, but what do they mean? "FFaD data means technical data or ... software that describes the required overall physical ... characteristics ... of an item or process ..." What does that mean? Do we really have software that actually describes the required overall physical characteristics of an item or process? If so, why?

Maybe it's our ignorance but we didn't get it.

Share this post


Link to post
Share on other sites

Language is a challenge. This morning there is a long piece in The New York Times about the meaning, use, and implications of the term "radical Islam." The article shows how hard it is for people to communicate what is in their heads via the medium of language. What does "red" mean?

It is understandable that regulatory language will be problematical. I write for a living, and although I have been doing it for many years I still find it hard to say what I mean, and I know that I don't always do it as well as I wish. Everything depends upon the clarity of one's thoughts, one's understanding of the thoughts and thought processes of others, and one's facility with words. I struggle to understand what I want to say and then to say it in a way that communicates my meaning as clearly as possible to as many of my readers as possible. Expression is as much a process as it is a result. That's all there is to it--refine, refine, refine. But the rule promulgating process make iteration and refinement difficult, if not impossible. All the more reason for the FAR councils to be careful and to employ first rate editors.

My favorite coffee mug bears this motto: "Revise. You know you want to."

Share this post


Link to post
Share on other sites

I often have to draft policy position papers, procedures, and instructions. Essentially there are two ways to do it: (1) create a working group or committee and start outlining and writing in a giant, iterative, brainstorming session--and then submit the end product for review; or (2) prepare an initial draft on my own and then submit to a working group or committee to receive feedback, questions, suggested edits, etc--and then revise on my own and resubmit until the end product is mutually acceptable.

The second method is always much faster and results in a better end product.

Share this post


Link to post
Share on other sites

I write internal contracting policy and procedures for the agency I work for.  We employ the second method here_2_help cites above, except that we generally revised the document during the working session and arrive at the final version during the meeting, rather than resubmit multiple times.  A draft is written and then a working group, usually 3 or 4 including the author, review the document and improve upon it.  From my perspective, it is critical the individuals who are writing and reviewing the policy, not only be subject matter experts and have a command of what the pertinent laws, regulations, and policies, but it is also essential that they have been a practitioner.  Too often I see policies/procedures that are not clear and actionable, likely because the person writing the policy had never done the work before and/or does not fully understand the process or the tasks involved in it.

Share this post


Link to post
Share on other sites
56 minutes ago, Todd Davis said:

Too often I see policies/procedures that are not clear and actionable, likely because the person writing the policy had never done the work before and/or does not fully understand the process or the tasks involved in it.

More likely because he or she can't (or doesn't) think clearly and can't (or doesn't) write well.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  

×