New rules alter federal security planning

Security sections of the 2001 Defense Authorization Act

The environment for federal security has changed greatly over the past three

months, making it more crucial than ever for agencies to develop plans that

address the critical information systems under their control, government

security officials say.

Agencies always work on boosting security, but Presidential Decision

Directive 63 calls for agencies to develop specific plans for systems that

are essential to the minimum operations of the economy and the government.

Because of this, the Critical Infrastructure Assurance Office and other

organizations are not only addressing specific threats, "we're trying to

figure out how to put long-term improvements back into the system," said

Robert Miller, deputy director of the CIAO, at the Defending Cyberspace

2000 conference in Washington, D.C., on Monday.

Since September, the U.S. and European governments have put in place

new regulations and guidelines that will affect how every agency approaches

security, he said.

In October, President Clinton signed the fiscal 2001 Defense Authorization

Act, which includes several security requirements for the Defense Department

but also includes the Government Information Security Reform Act. That law

affects all federal agencies and establishes new levels of security management

and accountability that agencies will have to make a part of their business

process, Miller said.

Also in October, the Council of Europe released its draft convention

on cybercrime, a document that would standardize cybercrime laws among the

41 member countries and must be ratified by the U.S. Congress.

And last week, the Office of Management and Budget and the CIO Council

released the latest revision of Circular A-130, the regulation that covers

the management of all federal information technology. Security management

is also part of that document, and OMB said another revision in 2001 would

include further changes in this specific area.

Although all the changes have yet to make a distinct difference, they

do shift the environment to enable agencies to reach their goals, Miller

said. Generally, the changes are positive and provide clearer guidance on

security, but agencies will have to revise plans over the next few months

to accommodate the changes, he added.

The CIAO is already working on a second version of the National Plan

for Information Systems Protection that President Clinton released the first

week in January. The next version will include the recent new laws and regulations

as well as the role of the private sector in critical infrastructure protection,

said Ken Watson, alliance manager for critical infrastructure protection

at Cisco Systems Inc.

The public/private Partnership for Critical Infrastructure Security

has created a working group to help develop this second draft and recently

provided comments to the CIAO, Watson said.