EDS certified for security assessments

Electronic Data Systems Corp. has been approved to use an information security assessment methodology endorsed by the Critical Information Assurance Office (CIAO) to help federal agencies identify vulnerabilities in their computer networks.

Agencies are turning their attention to security issues as their Year 2000 remediation projects wind down and as pressure mounts for compliance with Presidential Decision Directive (PDD) 63, which asks agencies to come up with plans to protect their key systems, and with other security requirements issued by the Office of Management and Budget.

EDS received the approval after being rated against the information security assessment capability maturity model (CMM), which was developed by the National Security Agency in cooperation with the system security engineering CMM project, an NSA spokeswoman said.

CMMs are designed to help organizations develop a consistent, well-documented set of processes in a particular area. The CMM concept came out of the federally funded Software Engineering Institute at Carnegie Mellon University, which originally developed a CMM for software engineering. CMMs are designed to ensure that a given process can be carried out in a similar fashion, with similar results, from project to project.

Several companies worked on the system security engineering CMM project over the past couple of years, said Daryl Eckard, director of technical services for EDS' Information Assurance Group.

NSA picked the key process areas out of the system security engineering CMM to develop the information security assessment CMM, Eckard said. NSA identified those pieces as things that could be used for appraisals to make sure companies do assessments according to a consistent methodology, he said.

Computer Sciences Corp.'s Information Assurance Solution Operations unit received approval in February for its systems security engineering CMM. CSC is offering its services under the General Services Administration's Safeguard Program, a CSC spokesman said. The Safeguard Program is intended to help agencies develop plans required under PDD 63 to protect their critical information systems.

The approval of EDS' processes confirms its maturity to assess the protection of agencies' critical information infrastructures and qualifies EDS' Information Assurance Center of Excellence in Herndon, Va., to perform assessments, Eckard said.

EDS officials began the appraisal process a little less than a year ago by building on existing processes as they learned the agency's security assessment methodology. The CIAO then appraised EDS' ability to use the methodology in a week-long process, Eckard said.

EDS already has begun working with about six agencies to examine their security processes and determine where their vulnerabilities are, offering countermeasures and security mechanisms involving a combination of technologies to protect their critical systems and data.

"We do an objective look and determine where the holes are," Eckard said.

The assessments examine an agency's local-area networks and other parts of the infrastructure, as well as some of the agency's business processes. Typical suggestions for improvement include changing those processes and taking steps such as subscribing to services that provide information on threat vulnerability and developing policies to ensure that employees are aware of security issues.