Feds having trouble finding money, people for cybersecurity

CRYSTAL CITY, Va.—Despite mounting pressure from Congress to make tangible progress on the governmentwide effort to protect critical federal information systems from hackers and other criminals, agencies continue to struggle with funding, personnel and training roadblocks, officials said today.

Under Presidential Decision Directive 63, signed in May 1998, all federal agencies are required to develop plans and take steps to protect their critical infrastructure. Agency chief information officers have been charged with leading the protection of information systems under PDD 63 and are receiving pressure from administrators, Congress and auditors to install protective measures as soon as possible.

Agency CIOs, however, said they are having trouble finding the resources to follow through.

"It requires a lot of dollars to do PDD 63," said Roger Baker, CIO at the Commerce Department, during a panel session at the National Information Systems Security conference here. Making matters worse, the Office of Management and Budget has told Commerce to find the money it needs for cybersecurity within current budgets, not from new appropriations, Baker said.

Other agencies are experiencing similar problems, including the Energy Department, which, despite several high-profile security breaches, recently lost its battle with Congress to get $35 million added to its fiscal 2000 budget for cybersecurity, said John Gilligan, CIO at DOE.

Although lack of personnel is another well-known problem, most agencies are finding out that the real issue is training and awareness for current employees.

NASA, for example, recently worked with the Defense Information Systems Agency to develop a new multimedia training CD-ROM that all NASA personnel are required to use. However, managers and system administrators require a different level of training, and the agency is putting together a pilot certification program at the John H. Glenn Research Center in Ohio.

"System administrators are a critical point for us, and we are not yet happy about our training for our system administrators," said David Nelson, acting deputy CIO at NASA.

Like many agencies, the Defense Department also is working with other agencies and with industry to find commercial products that meet the agency's security needs.

"We need to work together and communicate [and] collaborate more closely than ever before in order to be effective," said Christopher Mellon, deputy assistant secretary of Defense for security and information operations.

One solution DOD is considering is issuing a directive that Defense agencies must use products validated by the National Information Assurance Partnership, he said. The NIAP is a joint effort by the National Security Agency and the National Institute of Standards and Technology to certify that commercial products meet security standards.