Cyber strategy: A starting point

National Strategy to Secure Cyberspace

Related Links

The National Strategy to Secure Cyberspace that the Bush administration released today is a draft -- a roadmap that will become more detailed as comments are returned and expertise evolves within government and the private sector, according to the document.

Parts of the draft strategy, developed by the Critical Infrastructure Protection Board in cooperation with the private sector, are more detailed than others. Recommendations for the federal government sector include:

* That the CIO Council and relevant agencies consider creating a "cyberspace academy" to link federal cybersecurity and computer forensics training programs.

* That the Office of Management and Budget establish an Office of Information Security Support Services within the proposed Homeland Security Department to pool security resources from across government to support smaller and less-experienced agencies.

* That the government examine the idea of certifying private-sector security providers, based on the certifications being performed by the national security community. This could lead to limiting contract awards for security services to certified companies.

The Critical Infrastructure Protection Board executive branch Information Systems Security Committee, the Office of Federal Procurement Policy and the Federal Acquisition Regulation Council are also examining how to improve security in the systems and solutions that agencies procure from vendors. They are reviewing the National Infrastructure Assurance Program's security accreditation process -- as well as its mandated implementation at the Defense Department -- to determine the possible impact of extending the DOD requirement to civilian agencies.

"The federal government recognizes that past efforts such as this have failed, but believes that the heightened level of government and consumer concerns over significant flaws in information technology products warrants renewed efforts," the draft states.

That review will be completed by the fourth quarter of fiscal 2003.

The committee also plans to examine the viability of establishing uniform security practices for different categories of programs and services, falling into high, medium and low levels of risk.

The draft also includes recommendations developed by and for industry and academia, including:

* That Internet service providers should consider adopting a "code of conduct" governing their security practices and interactions.

* That colleges and universities should enhance their security capabilities by considering the establishment of one or more information sharing and analysis centers, empowering their chief information officers, adopting best practices, and creating model awareness and training materials.

The entire draft strategy is available online at, and the board is asking for comment through that Web site by Nov. 18. The board also plans to hold eight more town hall-style meetings across the country to solicit comment and reaction. All of that information will be incorporated into the draft to create a complete strategy that will be approved by President Bush.


  • Comment
    Diverse Workforce (Image: Shutterstock)

    Who cares if you wear a hoodie or a suit? It’s the mission that matters most

    Responding to Steve Kelman's recent blog post, Alan Thomas shares the inside story on 18F's evolution.

  • Cybersecurity
    enterprise security (Omelchenko/

    Does Einstein need a post-SolarWinds makeover?

    A marquee program designed to protect the government against cybersecurity threats is facing new scrutiny in the wake of Solar Winds Orion breach, but analysts say the program was unlikely to have ever stopped the hacking campaign.

Stay Connected