Infosec takes front seat at DOT

Agency's fiveyear plan sets precise goals

The Transportation Department is making the security of computer systems

that control the nation's transportation systems a top priority for the

next five years.

In its Strategic Plan for 2000-2005 released Sept. 7, DOT made it clear

that information security requires the attention of the agency's managers

to make travel safer, more affordable and more available.

By the end of this month, DOT will have a plan for assessing, fixing

and testing the security of its computer systems much like the one completed

nearly a year ago in preparation for the Year 2000.

But unlike Year 2000, information security is not a coding problem.

The strategic plan calls for management attention to assess the vulnerabilities

of critical information technology systems and to educate the workforce

about the problem.

The overall IT Security Program Plan, to be delivered to DOT Secretary

Rodney Slater Sept. 30, is a blueprint for "who's responsible for what in

security," said George Molaski, DOT chief information officer. He is circulating

the document for comment at the Federal Aviation Administration and the

U.S. Coast Guard, which operate all 110 infrastructure-critical systems

identified by DOT.

According to Presidential Decision Directive 63, federal agencies must

achieve and maintain the ability to protect their critical infrastructure

by 2003, with an initial capability by the end of 2000. Because the cost

of fixing and testing those systems is uncertain, DOT is focusing on assessing

the vulnerabilities and risks of attack of those systems to determine the

level of security needed. "That's just the first step in trying to develop,

in addition to the information architecture, a security architecture," Molaski

said.

Molaski is trying to elevate the IT security position in his office

to the senior executive level.

Among DOT's milestones are that all risk assessments of those systems

will be completed by November 2002 and all remediation and testing of the

systems by May 2003. The FAA also will establish this year an Information

Security Concept of Operations and finalize a long-term plan for deploying

its Computer Security Incident Response Capability.

The agency also will provide IT security awareness training to all of

its workers via the World Wide Web by the end of this month, Molaski said.

More specifically, advanced IT security training is already being offered

to key program managers and system administrators at the FAA, according

to Raymond Long, director of the FAA's Office of Information Systems Security,

who has said his biggest challenge will be raising awareness of IT security

at the FAA.

The Coast Guard recently appointed a new CIO, Adm. Vivian Crea, who

will be responsible for information security remediation of the Coast Guard's

Operations Control Center and five critical systems for the Coast Guard's

national security and emergency response missions. Risk assessments of Coast

Guard systems will be finished by November, according to the DOT Strategic

Plan. The assessments will be followed by the completion of security plans

for all critical Coast Guard Systems by April 2001.

Although PDD 63 doesn't include similar efforts for non-mission-critical

systems, DOT is going to secure those as well. Other DOT administrations

will develop a plan to ensure their IT assets comply with the Office of

Management and Budget's guidance on information security by March 30, 2001.

At least 25 percent of those assets will be assessed, tested and certified

by Sept. 30, 2001.