New rules alter federal security planning

Security sections of the 2001 Defense Authorization Act

The environment for federal security has changed greatly over the past three

months, making it more crucial than ever for agencies to develop plans that

address the critical information systems under their control, government

security officials say.

Agencies always work on boosting security, but Presidential Decision

Directive 63 calls for agencies to develop specific plans for systems that

are essential to the minimum operations of the economy and the government.

Because of this, the Critical Infrastructure Assurance Office and other

organizations are not only addressing specific threats, "we're trying to

figure out how to put long-term improvements back into the system," said

Robert Miller, deputy director of the CIAO, at the Defending Cyberspace

2000 conference in Washington, D.C., on Monday.

Since September, the U.S. and European governments have put in place

new regulations and guidelines that will affect how every agency approaches

security, he said.

In October, President Clinton signed the fiscal 2001 Defense Authorization

Act, which includes several security requirements for the Defense Department

but also includes the Government Information Security Reform Act. That law

affects all federal agencies and establishes new levels of security management

and accountability that agencies will have to make a part of their business

process, Miller said.

Also in October, the Council of Europe released its draft convention

on cybercrime, a document that would standardize cybercrime laws among the

41 member countries and must be ratified by the U.S. Congress.

And last week, the Office of Management and Budget and the CIO Council

released the latest revision of Circular A-130, the regulation that covers

the management of all federal information technology. Security management

is also part of that document, and OMB said another revision in 2001 would

include further changes in this specific area.

Although all the changes have yet to make a distinct difference, they

do shift the environment to enable agencies to reach their goals, Miller

said. Generally, the changes are positive and provide clearer guidance on

security, but agencies will have to revise plans over the next few months

to accommodate the changes, he added.

The CIAO is already working on a second version of the National Plan

for Information Systems Protection that President Clinton released the first

week in January. The next version will include the recent new laws and regulations

as well as the role of the private sector in critical infrastructure protection,

said Ken Watson, alliance manager for critical infrastructure protection

at Cisco Systems Inc.

The public/private Partnership for Critical Infrastructure Security

has created a working group to help develop this second draft and recently

provided comments to the CIAO, Watson said.

Featured

  • Defense
    Soldiers from the Old Guard test the second iteration of the Integrated Visual Augmentation System (IVAS) capability set during an exercise at Fort Belvoir, VA in Fall 2019. Photo by Courtney Bacon

    IVAS and the future of defense acquisition

    The Army’s Integrated Visual Augmentation System has been in the works for years, but the potentially multibillion deal could mark a paradigm shift in how the Defense Department buys and leverages technology.

  • Cybersecurity
    Deputy Secretary of Homeland Security Alejandro Mayorkas  (U.S. Coast Guard photo by Petty Officer 3rd Class Lora Ratliff)

    Mayorkas announces cyber 'sprints' on ransomware, ICS, workforce

    The Homeland Security secretary announced a series of focused efforts to address issues around ransomware, critical infrastructure and the agency's workforce that will all be launched in the coming weeks.

Stay Connected