We've been working on this very hard and it's been a big success. (Last November the SANS Institute awarded the IAD and their partner the Trusted Computing Group the 2011 National Cybersecurity Innovation Award. )
What worries the NSA?
Probably the biggest two worries for us right now are mobility and cloud computing because the government wants that functionality the way that business wants it, but looks to NSA to tell them how to be secure while doing it.
A big trend is the consumerization of IT; a lot of folks [outside of government] are bringing in personally owned devices and utilizing them for work functions. Recognizing both the benefits of such mobility and the dangers of rather powerful, connected devices managed by their owners instead of the office, the IAD released "Security Tips for Personally Managed Apple iPhones and iPads" and established the NSA Mobility Program which recently released v1.2 of the "Mobility Capability Package".
We aren't publishing much on cloud, we are letting NIST be that public face, but we are providing technical input into the things that they are writing. In fact NIST, the National Institute of Standards and Technology, has just released "Guidelines on Security and Privacy in Public Cloud Computing".
What are other areas are you focusing on?
Wireless is a big area that IAD is working on. How can you stand up secure enterprise wireless? How can it be protected from attacks? (An example of work done in this area is a 2011 report "DoD Bluetooth Peripheral Device Security Requirements" that specifies the requirements for the secure use of unclassified Bluetooth peripheral devices in the U.S. Department of Defense.)
Another big one on our challenges list is security operation visibility and response. This is huge both inside and outside government. As cyber threats accelerate our window for response is shortened
The No.1 thing, if I were a CIO, that I would not want to hear from my staff, is: There is this huge vulnerability announcement on product X. How much of product X do we have and what is our exposure?
If your staff looks at each other and says 'we don't know,' that's a problem. To raise the bar on visibility and response, the IAD released the "Manageable Network Plan" for CIOs and network admins based on the principle that an unmanageable network is insecure. The first half walks you through eight milestones to make your network manageable then the second half includes tasks that will increase reliability, security, and ease of effort going forward.