All IT domains continue to make broad use of incremental system and software development methodologies to improve the efficiency of deploying projects small and large. Those methodologies are even extending beyond traditional development to include system integration and program management. When it comes to the U.S. Government, though, there is one aspect of oversight that is preventing managers from making effective use of incremental methodologies: Security. While project teams share some blame by often actively and explicitly discounting security objectives (in my direct experience), I submit that the lion's share of the blame should fall on Information System Security Officers (ISSOs) and Managers (ISSMs).
The National Institute of Standards and Technology (NIST) has also failed to execute its mission to be "responsible for developing information standards and guidelines" in what I would consider a timely and effective manner in relation to incremental development methodologies. But, agency Chief Information Officers (CIOs) can meet legacy NIST guidelines, certify systems developed under those methodologies, and even improve security of their agency system, without running afoul of NIST guidelines, if only they were willing (and able) to make some strategic changes in how they manage system security compliance activities.
The National Institute of Standards and Technology (NIST) has also failed to execute its mission to be "responsible for developing information standards and guidelines" in what I would consider a timely and effective manner in relation to incremental development methodologies. But, agency Chief Information Officers (CIOs) can meet legacy NIST guidelines, certify systems developed under those methodologies, and even improve security of their agency system, without running afoul of NIST guidelines, if only they were willing (and able) to make some strategic changes in how they manage system security compliance activities.
