Draft report outlines PKI policy
To improve the public's access to government services and information and to tighten the security of unclassified government information systems, the federal government must work in partnership with the private sector to design and build a public-key infrastructure (PKI), according to a report being prepared by the National Partnership for Reinventing Government.
PKI, a framework of technology and policy regarding the use of digital signatures, will be a foundation to support trusted communication among federal government agencies and between those agencies and the private sector, according to a draft version of the report "Access With Trust." This security framework is vital to the creation of online loan applications, electronic voting and tax filing, according to the report.
PKI will provide four basic security services: authentication, data integrity, nonrepudiation (verification that an electronic message has been sent) and confidentiality. It will be designed not with a "government-only approach" but as part of the evolving private-sector PKI being built using commercial products. For the needs of federal customers, PKI must be secure, reliable, flexible and cost-effective and must provide a level of assurance based on the requirements of each application while ensuring proper privacy protection, the report noted.
"A critical goal in developing PKI is ensuring that it meets the needs of its users without undue complexity or cost," according to the report. "This is no small matter because potential users represent a broad spectrum, ranging from those who need a modest level of security and cannot tolerate substantial expense for that purpose, to those who need much higher levels of security and are willing to incur the expenses associated with having those services."
To launch the development of PKI, the report calls for the federal government to:
* Identify its own business requirements and the requirements of its customers.
* Prepare and implement appropriate standards in cooperation with industry.
* Articulate sound business practices governing agency use of PKI.
* Conduct pilot demonstration projects to explore the ways in which public-key technology can enhance agency operations and promote interactions with citizens and companies.
CIO bill introduced
Last month Sen. Richard Lugar (R-Ind.) introduced a bill that would give the Agriculture Department's chief information officer more control over information technology expenditures and Year 2000 issues.
The USDA Information Technology Reform and Year 2000 Compliance Act of 1998 would require the USDA secretary to transfer 5 percent of each agency's IT funds to the CIO— a position currently held by Anne Thomson Reed— at the beginning of each fiscal year. It would also make the CIO a presidential appointee who would report directly to the USDA secretary and would require that any agency obligation or outlay of funds for IT exceeding $25,000 be approved by the CIO.
The legislation "aims to coordinate efforts and improve efficiency in Year 2000 compliance programs at USDA and potentially at other agencies within the federal government," Lugar said in a statement.
The bill requires the CIO not only to address the Year 2000 issue throughout his own agency but also as the issue relates to other federal agencies, state and local governments, and private and international partners. The bill also would require the comptroller general to report on USDA's compliance with the law.
A computer programmer who accessed sensitive military data in a database detailing Air Force combat readiness was sentenced last month to six months in a halfway house.
Zhangyi Liu, a programmer who was working for a subcontractor to Litton/ PRC Inc. in 1996, was also fined $5,000 after pleading guilty to exceeding authorized access to a computer.
Liu, a Chinese national, downloaded passwords from the $148 million Reliability and Maintainability Information System (Remis) at Wright-Patterson Air Force Base, Ohio [FCW, Nov. 17, 1997].
Remis is an unclassified system that contains data about aircraft inventories, communications and electronics equipment, and missiles. It also has data on the mission capability of aircraft.