Security compliance help on the way

National Plan for Information Systems Protection

Federal security experts are getting out the word that help is on the way

for agencies trying to build security into information systems.

The government's top security executives on Tuesday outlined several

resources being developed to help agencies comply with ever-increasing security

requirements.

President Clinton's release in January of the National Plan for Information

Systems Protection added to agencies' roster of security regulations. Agencies

must also comply with the Computer Security Act of 1987 and Presidential

Decision Directive 63, which was issued in May 1998 and requires agencies

to protect their critical information systems from cyberattacks.

Among the tools outlined Tuesday during a CIO Council-sponsored critical

infrastructure protection conference:

* A matrix to help agencies identify interdependent systems and thus

help set priorities for funding and security. "This tool is really designed

to help you and your CIOs decide where they will conduct vulnerability assessments,"

said John Tritak, director of the Critical Infrastructure Assurance Office,

which developed the tool. "This provides a way of focusing priorities and

scarce resources and identifying where those critical assets and systems

lie, and it provides a framework for CIOs to make important infrastructure

policy choices and budget decisions."

The matrix will look at three levels of interdependencies: those within

each agency, those between agencies, and those between agencies and the

private sector.

* A process that brings together the security funding requirements from

all federal agencies to see how they fit into overall federal critical infrastructure

protection. This method, created by the Office of Management and Budget,

has been used for other governmentwide issues, such as dealing with terrorism.

* Suggestions for supplemental funding. The OMB process will not take

effect in federal budgets until 2002, but agencies need money now, said

Fernando Burbano, CIO at the State Department. To tide agencies over until

they have built security into their budget requests, OMB should go to Congress

and ask for supplemental funding, he said.

"What is needed is a supplemental, just like the Y2K, in order to take

care of this first year or two, because the budgets for those years don't

reflect the National Plan, don't reflect the huge Internet dependency now

that the government is moving to e-gov," he said.

* A better mechanism to make agencies aware of security vulnerabilities

and fixes. The Federal Computer Incident Response Capability is working

on it, said Judith Spencer, director of the Center for Governmentwide Security

at the General Services Administration's Office of Governmentwide Policy.

FedCIRC serves as the civilian agency incident warning and response center

for computer vulnerabilities.