Security compliance help on the way

National Plan for Information Systems Protection

Related Links


Federal security experts are getting out the word that help is on the way

for agencies trying to build security into information systems.

The government's top security executives on Tuesday outlined several

resources being developed to help agencies comply with ever-increasing security


President Clinton's release in January of the National Plan for Information

Systems Protection added to agencies' roster of security regulations. Agencies

must also comply with the Computer Security Act of 1987 and Presidential

Decision Directive 63, which was issued in May 1998 and requires agencies

to protect their critical information systems from cyberattacks.

Among the tools outlined Tuesday during a CIO Council-sponsored critical

infrastructure protection conference:

* A matrix to help agencies identify interdependent systems and thus

help set priorities for funding and security. "This tool is really designed

to help you and your CIOs decide where they will conduct vulnerability assessments,"

said John Tritak, director of the Critical Infrastructure Assurance Office,

which developed the tool. "This provides a way of focusing priorities and

scarce resources and identifying where those critical assets and systems

lie, and it provides a framework for CIOs to make important infrastructure

policy choices and budget decisions."

The matrix will look at three levels of interdependencies: those within

each agency, those between agencies, and those between agencies and the

private sector.

* A process that brings together the security funding requirements from

all federal agencies to see how they fit into overall federal critical infrastructure

protection. This method, created by the Office of Management and Budget,

has been used for other governmentwide issues, such as dealing with terrorism.

* Suggestions for supplemental funding. The OMB process will not take

effect in federal budgets until 2002, but agencies need money now, said

Fernando Burbano, CIO at the State Department. To tide agencies over until

they have built security into their budget requests, OMB should go to Congress

and ask for supplemental funding, he said.

"What is needed is a supplemental, just like the Y2K, in order to take

care of this first year or two, because the budgets for those years don't

reflect the National Plan, don't reflect the huge Internet dependency now

that the government is moving to e-gov," he said.

* A better mechanism to make agencies aware of security vulnerabilities

and fixes. The Federal Computer Incident Response Capability is working

on it, said Judith Spencer, director of the Center for Governmentwide Security

at the General Services Administration's Office of Governmentwide Policy.

FedCIRC serves as the civilian agency incident warning and response center

for computer vulnerabilities.


  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.