FAA moves on infosec awareness

A year after the Federal Aviation Administration's chief information officer established the agency's information security office and started setting agencywide security policies, his effort is moving to the grass-roots level.

"Last year, I was writing white papers," said Daniel Mehan, the FAA's CIO. "This year, we're giving out trinkets."

Mehan and Michael Brown, who was hired last month as director of the FAA's Office of Information Security, are conducting an outreach campaign over the next six months via awareness events about information security at agency facilities across the country. The first such event was April 4 at the FAA headquarters.

The trinkets Mehan mentioned are cardboard pyramids that explain the FAA's five layers of system protection and calendars that include tips, such as "report all suspected security breaches" and "log off e-mail and/or applications before leaving," on each month of the year. Both include names and phone numbers of agency information secu- rity contacts.

The pyramid was derived from a paper Mehan wrote last year identifying five levels at which security issues arise: personnel, physical facilities, information systems security, site-specific adaptation and redundancy. It also describes solutions in each area, such as authentication, access control and confidentiality.

The stepped-up effort is the key piece of the FAA's plan to protect critical infrastructure. A number of training sessions for IT professionals concerning policies are also in development, Brown said.

"A lot of agencies will say their biggest threat is inside rather than external," said Brown, who was CIO at the Army National Guard before joining the FAA.

Mehan has taken a hard stance on all new systems, requiring that each be certified as meeting information security requirements before it is fielded. As FAA personnel start using more mobile and wireless devices, information assurance and security will become more of a challenge, he said.

It helps to have the support of Norman Mineta, secretary of the Transportation Department, FAA's parent agency, Mehan said. "In my first conversation with [Mineta], he told me he helped get PDD 63 off the ground," Mehan said, referring to Presidential Decision Directive 63, which requires agencies to audit and certify their critical IT systems by May 2003.

That doesn't mean the FAA hasn't encountered some rough spots. A recent DOT inspector general report found that some of the FAA and its contractors' Web sites were collecting information about their visitors via cookies. Since the report, they have removed most unauthorized cookies. Software on a vendor's Web site automatically generated persistent cookies without the administrator's knowledge or consent, Mehan said.

"That experience showed us how important vigilance is," he said. "The challenge for Mike [Brown] is: How do you monitor sufficiently on a regular basis to make sure what you fixed yesterday is still fixed?"

Activities and policies planned for this year include:

Improving intrusion detection and alert distribution through the FAA's Computer Security Incident Response Capability. Improving and refining the FAA's Information Systems Security Architecture. Nurturing an information security research and development program. Creating a policy on Web sites and their security requirements. Exploring future policies on remote and mobile connectivity.