FedCIRC preps free security tools

FedCIRC

Working with its second year of appropriated funding, the Federal Computer Incident Response Center is preparing a range of free security tools for agencies over the next year, a federal cybersecurity official said Jan. 23.

Within the next two weeks, vendors will finish submitting proposals for an automatic patch dissemination system, which is intended to make it easier for security managers to handle the abundance of security patches available for commercial software, said Sallie McDonald, assistant commissioner for information assurance and critical infrastructure protection at the General Services Administration's Federal Technology Service.

Many industry and government studies show that most security incidents could be avoided if managers apply patches for known vulnerabilities. The patch dissemination system will help managers sift patches that do not apply to their network and let them concentrate on patches they really need, McDonald said.

"We're hoping we can eliminate all the fluff," she said at Potomac Forum Ltd.'s Computer Security and Information Assurance Conference in Washington, D.C. "This will make it more simple for them."

FedCIRC also is about to issue a request for proposals on a collaboration system that will offer federal officials a closed environment to discuss sensitive but unclassified security issues, McDonald said. Officials are already working on the classified Cyber Warning Information Network, but there is a need for collaboration among officials who are not cleared for classified information, she said.

By the end of the year, FedCIRC plans to pilot a new tool being developed by CERT Coordination Center at Carnegie Mellon University that will automatically analyze incident information from agencies' security applications, McDonald said. The CERT Coordination Center is an Internet security research group. The analysis will also be fed to FedCIRC to provide a cross-agency view of security incidents.

FedCIRC officials are talking to agencies now about participating in the pilot for this year and are planning to offer the fully operational tool to all agencies in 2003, McDonald said.