EDS certified for security assessments

Electronic Data Systems Corp. has been approved to use an information security assessment methodology endorsed by the Critical Information Assurance Office (CIAO) to help federal agencies identify vulnerabilities in their computer networks.

Agencies are turning their attention to security issues as their Year 2000 remediation projects wind down and as pressure mounts for compliance with Presidential Decision Directive (PDD) 63, which asks agencies to come up with plans to protect their key systems, and with other security requirements issued by the Office of Management and Budget.

EDS received the approval after being rated against the information security assessment capability maturity model (CMM), which was developed by the National Security Agency in cooperation with the system security engineering CMM project, an NSA spokeswoman said.

CMMs are designed to help organizations develop a consistent, well-documented set of processes in a particular area. The CMM concept came out of the federally funded Software Engineering Institute at Carnegie Mellon University, which originally developed a CMM for software engineering. CMMs are designed to ensure that a given process can be carried out in a similar fashion, with similar results, from project to project.

Several companies worked on the system security engineering CMM project over the past couple of years, said Daryl Eckard, director of technical services for EDS' Information Assurance Group.

NSA picked the key process areas out of the system security engineering CMM to develop the information security assessment CMM, Eckard said. NSA identified those pieces as things that could be used for appraisals to make sure companies do assessments according to a consistent methodology, he said.

Computer Sciences Corp.'s Information Assurance Solution Operations unit received approval in February for its systems security engineering CMM. CSC is offering its services under the General Services Administration's Safeguard Program, a CSC spokesman said. The Safeguard Program is intended to help agencies develop plans required under PDD 63 to protect their critical information systems.

The approval of EDS' processes confirms its maturity to assess the protection of agencies' critical information infrastructures and qualifies EDS' Information Assurance Center of Excellence in Herndon, Va., to perform assessments, Eckard said.

EDS officials began the appraisal process a little less than a year ago by building on existing processes as they learned the agency's security assessment methodology. The CIAO then appraised EDS' ability to use the methodology in a week-long process, Eckard said.

EDS already has begun working with about six agencies to examine their security processes and determine where their vulnerabilities are, offering countermeasures and security mechanisms involving a combination of technologies to protect their critical systems and data.

"We do an objective look and determine where the holes are," Eckard said.

The assessments examine an agency's local-area networks and other parts of the infrastructure, as well as some of the agency's business processes. Typical suggestions for improvement include changing those processes and taking steps such as subscribing to services that provide information on threat vulnerability and developing policies to ensure that employees are aware of security issues.


  • Defense
    The U.S. Army Corps of Engineers and the National Geospatial-Intelligence Agency (NGA) reveal concept renderings for the Next NGA West (N2W) campus from the design-build team McCarthy HITT winning proposal. The entirety of the campus is anticipated to be operational in 2025.

    How NGA is tackling interoperability challenges

    Mark Munsell, the National Geospatial-Intelligence Agency’s CTO, talks about talent shortages and how the agency is working to get more unclassified data.

  • Veterans Affairs
    Veterans Affairs CIO Jim Gfrerer speaks at an Oct. 10 FCW event (Photo credit: Troy K. Schneider)

    VA's pivot to agile

    With 10 months on the job, Veterans Affairs CIO Jim Gfrerer is pushing his organization toward a culture of constant delivery.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.