OMB wants trusted access plans

Deadlines are fast approaching to reduce Internet connections for greater security.

Agencies are under a directive to decrease the number of  external Internet connections they maintain as part of an effort to keep closer watch on the traffic flowing through those connections. By April 15, they are to file details on their business models, technical capabilities and plans for consolidating those connections under the Office of Management and Budget’s Trusted Internet Connections (TIC) initiative. The plans must also include agencies’ assessments of their ability to be shared-services providers of secure gateway Internet access for other agencies. By May 1, agencies must tell OMB if they need additional public Internet access points and, if so, justify the need.   OMB will work with agencies to help them achieve the administration’s security priorities, said Karen Evans, OMB’s administrator for e-government and information technology. “We expect agencies to meet the deadlines requested as well as the target for reduction of the external access points.”The initiative will improve the federal government’s incident response capability by enabling centralized gateway monitoring at a select group of trusted access providers, Evans said. OMB introduced the policy initiative in November as part of its Information Systems Security Line of Business initiative. By June 30, the agency expects to reach its consolidation goal of having only 50 external Internet connections for the entire federal government — it now has more than 1,000. The success of the initiative will depend on each major department or agency having only two or three gateway connections. To protect sensitive data from potential adversaries, the federal government cannot maintain an unlimited number of external pathways to the public Internet, said Randy Vickers, associate deputy director of the U.S. Computer Emergency Readiness Team at the Homeland Security Department. Instead, agencies must channel their connections through a reduced number of gateways. The consolidation should have no effect on employees’ ability to use the Internet, Vickers said. Agencies must comply with TIC at the same time four other OMB information security mandates — encryption, two-factor authentication, Federal Desktop Core Configuration and Homeland Security Presidential Directive 12 — are demanding their attention. “It’s hard to do five things at once, but there really are at least five things you have to do at once to be protected,” said David Wennergren, deputy chief information officer at the Defense Department. “You really have to do HSPD-12 and those other things in parallel and not so much in a sequential pattern because that’s going to drag it out.” HSPD-12 is the government’s secure identity verification program, which uses computer-readable cards.The Health and Human Services Department earlier reduced its external connections to the Internet from more than 40 to 16, said Michael Carleton, HHS’ CIO. “It was a success because nobody knew” the consolidation had occurred, Carleton said. However, further reducing those external connections from 16 to two or three will be more difficult, he said. HHS will use the General Services Administration’s Networx network services  program to create an architecture for fewer Internet gateways. Using the Networx option, HHS expects to activate TIC connections in April 2009, Carleton said. Vendors qualify as public Internet gateway providers under OMB’s TIC initiative. HHS could implement TIC faster under the current but expiring FTS 2001 telecommunications contract. However, the Networx program offers more capabilities,Carleton said. HHS plans to use Networx to comply with two additional governmentwide OMB policy initiatives. The department will upgrade its backbone network to run the next-generation IP and optimize its IT infrastructure under OMB’s IT Infrastructure Line of Business. 

Culture change

The Defense Department has reduced its public Internet access points over time, said David Wennergren, DOD’s deputy chief information officer. It was a process that required DOD to change its culture and to manage change. The Trusted Internet Connections initiative “is about giving up some personal control and having to partner with someone else,” he said.

Wennergren said DOD’s consolidation experience proved the value of these five steps.

1.Get leaders at the top to talk about the
initiative.

2.Establish a governance structure to measure and monitor progress.

3.Implement a single repeatable process.

4.Establish clear lines of authority that provide management direction.

5.Create consequences for not following through.

— Mary Mosquera