NIST stumps for federal security team

The National Institute of Standards and Technology will form a new security team to help guard against and respond to Internet break-ins at civilian agency sites, under a plan being considered by the Government Information Technology Services (GITS) Working Group.

The new security group would respond to computer intrusions, provide agencies with guidance and vulnerability "fixes," develop and maintain publicly available tools, perform vulnerability analyses and conduct follow-up studies of incidents. It would also operate a 24-hour emergency hot line.

NIST envisions the team as filling a void that has developed as a result of recent changes to the Office of Management and Budget's Circular A-130. Although the changes require all agencies to maintain a computer security response capability, the majority of civilian agencies do not operate their own security teams.

"We would cover [civilian agencies] who do not have an existing team," said Marianne Swanson, a computer specialist at NIST's Computer Security Division. "And we would work with the other government agency teams that are already in existence. We envision that we will be a pretty big powerhouse."

Under the plan, the Energy Department's Computer Incident Advisory Capability (CIAC) and the Defense Advanced Research Projects Agency-funded Computer Emergency Response Team (CERT) would jointly operate the service at their sites.

"It would be run by both CIAC and CERT's facilities," Swanson said. "There would still be a CIAC team to handle Energy Department issues, but CIAC would also house a big part of the governmentwide capability. And that would work the same way for CERT."

NIST would act as a temporary coordinator while the program is being started.

NIST wants funding of about $8 million over two years to start up the program, which could get the go-ahead as soon as two months from now.

A fully functional incident response capability would be up and running within six months of receiving funding approval, according to NIST. GITS is an inter-agency group that addresses issues related to the National Performance Review and the administration's National Information Infrastructure initiative. The money for the program would come from the GITS Innovation Fund.

Gayle Gordon, head of the GITS Innovation Fund, would not comment on the likelihood of funding for the proposal.

Agencies without their own security response teams now have few options in the event of an intrusion. They can call CERT, the largest and oldest computer security response team in the world, but CERT responds to a constituency that is as large as the Internet itself. As a result, it does not give specialized service.

CIAC does offer specialized security service on a fee basis, and the new team would expand on this concept. It would also make the sharing of vulnerability information easier, supporters said.

Tearing Down the Barriers

Response teams' hesitancy to share information continues to obstruct efforts to develop a central resource for break-in statistics.

"We want this group to cross agency boundaries and augment agencies' [existing] capabilities," Swanson said. "We feel there's a benefit to having similar music that all agencies can follow—recommendations, guidance, tools. It will be a more common set of tools that all can use."

"So many agencies don't have a response capability," said Sandy Sparks, CIAC's director. "If the proposal gets funded, it will be a really proactive step."

Currently, only DOE, NASA, the Defense Department, the Air Force, the Navy, the Veterans Health Administration and the Small Business Administration have their own security response teams.

However, DARPA has signaled that it will stop funding CERT for its emergency response capabilities, though it will continue funding for CERT to conduct research in computer security.

NIST would help set up the security team, but eventually the service would operate from fees paid by member agencies and be self-sustaining. The GITS Innovation Fund gives one-time loans to government technology projects.

"GITS will get it started, but then it will have to live in the cold, hard world," said Tim Grantz, a computer security specialist at NIST.

"It's ambitious in a time of constrained resources, [and] it remains to be seen how willing people are to spend money on security," he said. "It's a good first step toward giving agencies an effective service that helps people meet the regulatory intent of Circular A-130."

"It's ambitious because we're taking on a large, large role, and a lot of the functions we're going to perform require a lot of time, effort and money," NIST's Swanson said.

NIST is taking additional steps to promote more open sharing of security statistics among federal agencies, universities and businesses. NIST will conduct a workshop on data sharing June 10-12.

Featured

  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.