Security system checks take too long, experts say

Current certification and accreditation processes for federal information systems don’t reflect the modern network environment, a panel said today.

Current security certification and accreditation (C&A) processes for federal information systems are too slow and don’t reflect the modern network environment, a panel of federal information-sharing experts said today.

The processes can take so long that the products undergoing C&A can be obsolete by the time they are approved, said Daniel Kent, director of systems engineering for U.S. federal sales at Cisco Systems.

The process should take months, not years, Kent said. “If we could speed it up, everyone would be a lot happier."

Kent spoke on a panel about information sharing presented by the Flyzik Group, a strategic consulting firm, Federal News Radio and Trezza Media Group. It was sponsored by Unisys and Cisco Systems.

The federal government needs a sense of urgency about information sharing and the C&A process, said Jim Flyzik, principal with the Flyzik Group and the panel’s moderator. Flyzik is a columnist for Federal Computer Week magazine.

Many C&A procedures in use, particularly those for intelligence systems, date from the pre-network and pre-Internet eras, said Dale Meyerrose, associate director of national intelligence and chief information officer at the Office of the Director of National Intelligence (ODNI).

Beginning this summer, ODNI will work with other federal, private-sector and academic partners to re-engineer C&A processes, Meyerrose said.

The FBI and other organizations are struggling with C&A, said Zalmai Azmi, the FBI’s CIO. The FBI is working with the Justice Department and ODNI to streamline the processes and develop uniform C&A standards for all departments, Azmi said. Guidance from ODNI will be crucial, he said.

In addition to fixing C&A processes, the federal government needs to make progress on its information sharing, the panel members said.

The private sector is frustrated because even though that is where most information sharing actually occurs, discussions about information sharing have produced few implementations, said Greg Baroni, president of Unisys’ global public sector.

“I feel like there has been a loss of urgency since 9/11,” Baroni said.

Federal agencies must share as much information as they can while still ensuring privacy and civil liberties, said Karen Evans, administrator of e-government and information technology at the Office of Management and Budget. All actions to improve information sharing must show real results, she said.

The ODNI provides a cross-governmental forum to provide measures of effectiveness that can serve as incentives to share information, said Vance Hitch, CIO for the Justice Department.

The federal government needs a strategy for information sharing, Meyerrose said. Agencies should think big, start small and grow their information-sharing capabilities quickly, he said. They should define their reasons for sharing information in as granular a way as possible so that processes have meaning, he added.

Finally, agencies need to create an information-sharing cycle that every organization follows, Meyerrose said. The cycle should discover what information agencies have and how different people can access it, he said.

The federal government must review whether its information is overclassified and should be shared with state and local partners, Azmi said. The government must share information to empower decision-making at the lowest level possible to enable quick and appropriate action, he said.

The FBI has looked through its data and will share some of it with state and local partners through the Regional Data Exchange program the bureau is developing, Azmi said.

Federal departments are still struggling with their ability to share information, said Carter Morris, director of information sharing and knowledge management in the Office of Intelligence and Analysis at the Homeland Security Department. They must set priorities because they don’t have the resources to do everything they want, he said.

“Determining priorities in this business is something we all have to work at, and I don’t think we’re there yet,” Morris said. One priority agencies should have is putting more processes in place that help them meet their missions, he said.

A recording of the discussion, which will air April 4 at 2:05 p.m. EDT on WFED 1050 AM in Washington, D.C., will be available for download at www.federalnewsradio.com the same day.