Security compliance help on the way
- By Diane Frank
- Mar 14, 2000
National Plan for Information Systems Protection
Federal security experts are getting out the word that help is on the way
for agencies trying to build security into information systems.
The government's top security executives on Tuesday outlined several
resources being developed to help agencies comply with ever-increasing security
President Clinton's release in January of the National Plan for Information
Systems Protection added to agencies' roster of security regulations. Agencies
must also comply with the Computer Security Act of 1987 and Presidential
Decision Directive 63, which was issued in May 1998 and requires agencies
to protect their critical information systems from cyberattacks.
Among the tools outlined Tuesday during a CIO Council-sponsored critical
infrastructure protection conference:
* A matrix to help agencies identify interdependent systems and thus
help set priorities for funding and security. "This tool is really designed
to help you and your CIOs decide where they will conduct vulnerability assessments,"
said John Tritak, director of the Critical Infrastructure Assurance Office,
which developed the tool. "This provides a way of focusing priorities and
scarce resources and identifying where those critical assets and systems
lie, and it provides a framework for CIOs to make important infrastructure
policy choices and budget decisions."
The matrix will look at three levels of interdependencies: those within
each agency, those between agencies, and those between agencies and the
* A process that brings together the security funding requirements from
all federal agencies to see how they fit into overall federal critical infrastructure
protection. This method, created by the Office of Management and Budget,
has been used for other governmentwide issues, such as dealing with terrorism.
* Suggestions for supplemental funding. The OMB process will not take
effect in federal budgets until 2002, but agencies need money now, said
Fernando Burbano, CIO at the State Department. To tide agencies over until
they have built security into their budget requests, OMB should go to Congress
and ask for supplemental funding, he said.
"What is needed is a supplemental, just like the Y2K, in order to take
care of this first year or two, because the budgets for those years don't
reflect the National Plan, don't reflect the huge Internet dependency now
that the government is moving to e-gov," he said.
* A better mechanism to make agencies aware of security vulnerabilities
and fixes. The Federal Computer Incident Response Capability is working
on it, said Judith Spencer, director of the Center for Governmentwide Security
at the General Services Administration's Office of Governmentwide Policy.
FedCIRC serves as the civilian agency incident warning and response center
for computer vulnerabilities.