Firms undergo NSA infosec rating
- By Dan Caterinicchia, Dan Caterinicchia
- Mar 19, 2002
IATRP home page
The National Security Agency last week announced the first companies to
undergo an appraisal of their information security practices in a program
aimed at helping government and commercial organizations improve their systems
security.
According to the Infosec Assessment Training and Rating Program, organizations
that need to assess their vulnerability can call on companies that are qualified
to perform such assessments within NSA-defined guidelines and standards,
according to NSA.
This marks the first time civilian agencies have been able to access
security assessment companies that have undergone this type of government
evaluation and it enables customers to judge whether a provider is capable
of meeting its requirements.
Many agencies are using the General Services Administration's Safeguard
contract, which offers more than 25 vendors who perform such cybersecurity
assessments, but GSA does not provide any standard evaluation of the vendors'
capabilities.
NSA established the program because it does not have the resources to
perform all the Infosec assessments requested. The training part of the
program teaches NSA's standardized Infosec Assessment Methodology, which
is a systematic way of examining cyber vulnerabilities. Then, providers
undergo an Infosec Assessment Capability Maturity Model appraisal and receiving
a rating.
Seven companies agreed to have their Infosec vulnerability assessment
capability appraised: Backbone Security.com Inc., Booz Allen Hamilton, Computer
Sciences Corp., EDS, Lucent Technologies, SRA International Inc. and TrustWave
Corp. (formerly NetSafe).
All the companies use either the NSA-developed Infosec Assessment Methodology
or a similar assessment methodology, and their ratings can be found at www.iatrp.com.
Paul Holmes, director of assessment operations at EDS, said the company
had participated in the program since it was piloted in 1998. In September
2001, NSA completed its review of EDS' security assessment processes and
the company already has performed those services for government and commercial
clients, he said.
Holmes said the cost and time needed to perform an assessment varied
by client, and he would not go into further detail. He did say that inclusion
in the NSA program has been a "valuable credential to have," and he considers
the effort "an ongoing, continuously improving process."
The program's long-term goal is to assist in the protection of sensitive
data by increasing the information assurance levels of national and defense
information systems, according to NSA. The program also enables compliance
with the Presidential Decision Directive 63 requirements for vulnerability
assessments.
PDD-63 requires agencies to protect the information systems that support
the nation's critical infrastructure, including transportation and banking.
It also directed industry to form information sharing and analysis centers
to collaborate on security incidents and to work with government.