New rules alter federal security planning
- By Diane Frank
- Dec 12, 2000
Security sections of the 2001 Defense Authorization Act
The environment for federal security has changed greatly over the past three
months, making it more crucial than ever for agencies to develop plans that
address the critical information systems under their control, government
security officials say.
Agencies always work on boosting security, but Presidential Decision
Directive 63 calls for agencies to develop specific plans for systems that
are essential to the minimum operations of the economy and the government.
Because of this, the Critical Infrastructure Assurance Office and other
organizations are not only addressing specific threats, "we're trying to
figure out how to put long-term improvements back into the system," said
Robert Miller, deputy director of the CIAO, at the Defending Cyberspace
2000 conference in Washington, D.C., on Monday.
Since September, the U.S. and European governments have put in place
new regulations and guidelines that will affect how every agency approaches
security, he said.
In October, President Clinton signed the fiscal 2001 Defense Authorization
Act, which includes several security requirements for the Defense Department
but also includes the Government Information Security Reform Act. That law
affects all federal agencies and establishes new levels of security management
and accountability that agencies will have to make a part of their business
process, Miller said.
Also in October, the Council of Europe released its draft convention
on cybercrime, a document that would standardize cybercrime laws among the
41 member countries and must be ratified by the U.S. Congress.
And last week, the Office of Management and Budget and the CIO Council
released the latest revision of Circular A-130, the regulation that covers
the management of all federal information technology. Security management
is also part of that document, and OMB said another revision in 2001 would
include further changes in this specific area.
Although all the changes have yet to make a distinct difference, they
do shift the environment to enable agencies to reach their goals, Miller
said. Generally, the changes are positive and provide clearer guidance on
security, but agencies will have to revise plans over the next few months
to accommodate the changes, he added.
The CIAO is already working on a second version of the National Plan
for Information Systems Protection that President Clinton released the first
week in January. The next version will include the recent new laws and regulations
as well as the role of the private sector in critical infrastructure protection,
said Ken Watson, alliance manager for critical infrastructure protection
at Cisco Systems Inc.
The public/private Partnership for Critical Infrastructure Security
has created a working group to help develop this second draft and recently
provided comments to the CIAO, Watson said.