Hill delivers ? some ? security funding

The Clinton administration received only about half of what it wanted for

many of its key governmentwide information security programs. Nevertheless,

many federal security officials are not grousing.

In fact, many are happy that Congress funded information security at

all.

"We feel like this is manna from heaven," said Sallie McDonald, acting

director of the Office of Information Assurance and Critical Infrastructure

Protection at the General Services Administration. "It's amazing how your

perspective changes when you think you're not going to get anything."

GSA received $8 million to fund the Federal Computer Incident Response

Capability, which warns civilian agencies about cyberattacks and tracks

such attacks. GSA plans to use the money to enhance FedCIRC's offerings,

including developing a long-planned central analysis center to determine

patterns of cyberattacks across government. "We've had a very successful

program, but we haven't been able to put the resources behind it that it

needs, and now we can move forward," said McDonald, who also serves as the

deputy associate administrator of GSA's Information Systems Security Center.

This summer, the administration began to fear that Congress would not

fund any of its security programs. In many of the reports accompanying House

and Senate appropriations bills, the security programs highlighted by President

Clinton received no funding. In August, administration officials criticized

Congress for failing to fund the initiatives.

No security program received full funding, but some initiatives within

programs — such as the Scholarship for Service initiative, which is part

of the Federal Cyber Services training and education program — were fully

funded.

Security officials were pleased that many programs got any funding at

all, in particular the scholarship initiative, which will provide money

to students pursuing information security degrees in return for working

for the federal government upon graduation. "[The scholarship funding] indicates

that the concerns that some people had that no new programs would be funded

is not true," said John Tritak, director of the Critical Infrastructure

Assurance Office (CIAO). "Congress is considering things on their merits."

But the Office of Personnel Management received no money for this initiative,

meaning that the agency will only be able to support the scholarship program

in a limited capacity, according to an OPM official. Also, OPM did not receive

funding for the other initiatives under the Federal Cyber Services, including

training and certification for current federal security professionals.

"We are exploring options to continue getting the program moving, but

obviously we will be going slower," said Shirley Malia, Federal Cyber Services

program director at the CIAO. "We will be going back the second year when

we can show progress."

The Treasury Department also received only partial funding for governmentwide

public-key infrastructure initiatives to use digital certificates to authenticate

and authorize users. Most of the $3.5 million it received, which represents

half of what the administration asked for, will be used to start up the

Federal Bridge Certification Authority. This is the mechanism developed

by the Federal PKI Steering Committee to enable any agency to accept certificates

issued by any other agency.

The Commerce Department's National Institute of Standards and Technology,

which is in charge of several government-wide security initiatives, could

receive some money once the funding bill for the department is passed and

signed.

Included in the bill is $3 million for an Expert Review Team, which

will provide assistance to agencies developing critical infrastructure protection

plans under Presidential Decision Directive 63. The directive requires

agencies to protect systems supporting the nation's critical infrastructure.

NIST received no funding for the Institute for Information Infrastructure

Protection, which the administration intended to create to serve as a center

for critical infrastructure protection research and development grants that

would fill the gaps in government and commercial research.