FAA moves on infosec awareness

A year after the Federal Aviation Administration's chief information officer established the agency's information security office and started setting agencywide security policies, his effort is moving to the grass-roots level.

"Last year, I was writing white papers," said Daniel Mehan, the FAA's CIO. "This year, we're giving out trinkets."

Mehan and Michael Brown, who was hired last month as director of the FAA's Office of Information Security, are conducting an outreach campaign over the next six months via awareness events about information security at agency facilities across the country. The first such event was April 4 at the FAA headquarters.

The trinkets Mehan mentioned are cardboard pyramids that explain the FAA's five layers of system protection and calendars that include tips, such as "report all suspected security breaches" and "log off e-mail and/or applications before leaving," on each month of the year. Both include names and phone numbers of agency information secu- rity contacts.

The pyramid was derived from a paper Mehan wrote last year identifying five levels at which security issues arise: personnel, physical facilities, information systems security, site-specific adaptation and redundancy. It also describes solutions in each area, such as authentication, access control and confidentiality.

The stepped-up effort is the key piece of the FAA's plan to protect critical infrastructure. A number of training sessions for IT professionals concerning policies are also in development, Brown said.

"A lot of agencies will say their biggest threat is inside rather than external," said Brown, who was CIO at the Army National Guard before joining the FAA.

Mehan has taken a hard stance on all new systems, requiring that each be certified as meeting information security requirements before it is fielded. As FAA personnel start using more mobile and wireless devices, information assurance and security will become more of a challenge, he said.

It helps to have the support of Norman Mineta, secretary of the Transportation Department, FAA's parent agency, Mehan said. "In my first conversation with [Mineta], he told me he helped get PDD 63 off the ground," Mehan said, referring to Presidential Decision Directive 63, which requires agencies to audit and certify their critical IT systems by May 2003.

That doesn't mean the FAA hasn't encountered some rough spots. A recent DOT inspector general report found that some of the FAA and its contractors' Web sites were collecting information about their visitors via cookies. Since the report, they have removed most unauthorized cookies. Software on a vendor's Web site automatically generated persistent cookies without the administrator's knowledge or consent, Mehan said.

"That experience showed us how important vigilance is," he said. "The challenge for Mike [Brown] is: How do you monitor sufficiently on a regular basis to make sure what you fixed yesterday is still fixed?"

Activities and policies planned for this year include:

Improving intrusion detection and alert distribution through the FAA's Computer Security Incident Response Capability. Improving and refining the FAA's Information Systems Security Architecture. Nurturing an information security research and development program. Creating a policy on Web sites and their security requirements. Exploring future policies on remote and mobile connectivity.

Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.