Infosec takes front seat at DOT
- By Paula Shaki Trimble
- Sep 18, 2000
The Transportation Department is making the security of computer systems
that control the nation's transportation systems a top priority for the
next five years.
In its Strategic Plan for 2000-2005 released Sept. 7, DOT made it clear
that information security requires the attention of the agency's managers
to make travel safer, more affordable and more available.
By the end of this month, DOT will have a plan for assessing, fixing
and testing the security of its computer systems much like the one completed
nearly a year ago in preparation for the Year 2000.
But unlike Year 2000, information security is not a coding problem.
The strategic plan calls for management attention to assess the vulnerabilities
of critical information technology systems and to educate the workforce
about the problem.
The overall IT Security Program Plan, to be delivered to DOT Secretary
Rodney Slater Sept. 30, is a blueprint for "who's responsible for what in
security," said George Molaski, DOT chief information officer. He is circulating
the document for comment at the Federal Aviation Administration and the
U.S. Coast Guard, which operate all 110 infrastructure-critical systems
identified by DOT.
According to Presidential Decision Directive 63, federal agencies must
achieve and maintain the ability to protect their critical infrastructure
by 2003, with an initial capability by the end of 2000. Because the cost
of fixing and testing those systems is uncertain, DOT is focusing on assessing
the vulnerabilities and risks of attack of those systems to determine the
level of security needed. "That's just the first step in trying to develop,
in addition to the information architecture, a security architecture," Molaski
Molaski is trying to elevate the IT security position in his office
to the senior executive level.
Among DOT's milestones are that all risk assessments of those systems
will be completed by November 2002 and all remediation and testing of the
systems by May 2003. The FAA also will establish this year an Information
Security Concept of Operations and finalize a long-term plan for deploying
its Computer Security Incident Response Capability.
The agency also will provide IT security awareness training to all of
its workers via the World Wide Web by the end of this month, Molaski said.
More specifically, advanced IT security training is already being offered
to key program managers and system administrators at the FAA, according
to Raymond Long, director of the FAA's Office of Information Systems Security,
who has said his biggest challenge will be raising awareness of IT security
at the FAA.
The Coast Guard recently appointed a new CIO, Adm. Vivian Crea, who
will be responsible for information security remediation of the Coast Guard's
Operations Control Center and five critical systems for the Coast Guard's
national security and emergency response missions. Risk assessments of Coast
Guard systems will be finished by November, according to the DOT Strategic
Plan. The assessments will be followed by the completion of security plans
for all critical Coast Guard Systems by April 2001.
Although PDD 63 doesn't include similar efforts for non-mission-critical
systems, DOT is going to secure those as well. Other DOT administrations
will develop a plan to ensure their IT assets comply with the Office of
Management and Budget's guidance on information security by March 30, 2001.
At least 25 percent of those assets will be assessed, tested and certified
by Sept. 30, 2001.