Connecting the dots among security initiatives

Agency officials are dealing with a multitude of network and information technology initiatives this year. Work continues on the transition to the year-old Networx network services contracts, and agencies are rushing to convert their Internet backbones to the latest IP version while simultaneously eliminating most of their external connections to the Internet under the IPv6 and Trusted Internet Connections (TIC) initiatives. However, as daunting as the challenges look, they might seem more manageable if officials thought of them as pieces of a whole. A variety of agency and industry veterans shared success tips and lessons learned with a similarly mixed audience last week at “Networx, TIC and More: Connecting the Dots,” a daylong conference co-produced by 1105 Government Information Group and Topside Consulting Group. The conference’s goal was to show the connections between various IT and network initiatives and present useful information for agencies involved in those programs.  The General Services Administration awarded Networx, a multiple-award telecommunications and network services contract, more than a year ago, but agencies are only slowly moving services onto the new vehicles from the expiring FTS 2001 contracts. Many people look back to the late 1990s, when the government was moving from FTS 2000 to FTS 2001, for inspiration and caution. John Johnson, assistant commissioner for integrated technology services at GSA’s Federal Acquisition Service, said the parallels only go so far.  “This time is very different,” he said. “The world we live in is not the same world we lived in 10 years ago. The services being moved are significantly more complex than they were then.”One reason for the sluggish pace is the complexity of the contract’s fair-opportunity requirements, said Lori DeVenoge, telecommunications manager at the Homeland Security Department’s Immigration and Customs Enforcement bureau. “One of our first shockers was when [agencies] started to learn about the whole fair-opportunity process,” she said. “Fair opportunity took people aback.” Fair opportunity essentially means that agencies must allow all the companies on the chosen Networx contract — Networx Universal or Networx Enterprise — a chance to compete for task orders agencies place. It can be time-consuming.However, tools are available to make the transition easier, said Gary Wall, Networx transition manager at the Health and Human Services Department. GSA has opened a Networx Transition Center to provide aid in addition to an online pricing tool that agencies can use to look up prices that competing contract holders have set, among other helpful resources. “There are a lot of tools out there,” Wall said. “It’s time for us to use them.”The pricing tool, which allows agencies to look up current prices and price changes over the 10-year life of the Networx contracts, is especially useful for small agencies, Wall said. It allows comparison of scenarios that agencies might consider before settling on choices. However, for many agencies, price is not the only factor to consider. “In my agency, we’re going for a best-value decision,” Wall said. “It’s not based just on price.”William Kinter, executive director of program management at Verizon Business, said the key to using any kind of price-prediction tool is to be certain the comparison is between equivalent products. But having a firm understanding of costs is important, Kinter said. “I think people vastly, vastly underestimate transition costs.” Wall and other speakers on a Networx transition panel agreed on the importance of preparing for transition and especially identifying stakeholders and setting up a business structure and hierarchy around Networx that allow for stakeholders’ full involvement in the process. Transition is “not something to fear,” Wall said. “It’s something that can be used to an advantage. But if you take the wrong path, it can be painful.”Under the TIC initiative, agencies are supposed to identify their connections to the Internet and eliminate as many as possible. The goal is to know where the access points are and, by getting rid of as many as possible, make it easier to monitor and manage them. Officials leading the initiative said they hope to end up with no more than 50 access points governmentwide by June 30, down from the roughly 4,000 that had existed. Many agencies had allowed Internet connections to proliferate and exposed information to unnecessary risk by not carefully guarding the traffic flowing through them, said Karen Evans, administrator for e-government and information technology at the Office of Management and Budget. The goal of TIC is to reduce that risk, she said. The number has already been cut to fewer than 300, she added. Evans’ keynote address at the conference also touched on IT managers’ efforts to comply with the Federal Desktop Core Configuration initiative. There are “some really aggressive timelines in these, but we believe all this is achievable,” she said. One pair of dots to connect between TIC and Networx is creating data transport services that comply with the initiative, said Randy Vickers, associate deputy director of DHS’ U.S. Computer Emergency Readiness Team. Vickers said DHS and GSA are collaborating with the five Networx vendors to prepare the data transport services. DHS still must define requirements for the services, but it expects to do so by mid-June, Vickers said. The goal is to have compliant services available through Networx by Nov. 15, he said. The providers and agencies must be certain their network hardware can handle the increased demands agencies will put on the remaining 50 connections, said David Garbin, a senior fellow at Noblis who moderated the TIC panel. Vickers said consolidation enhances security by giving potential hackers fewer entry ports and making it much easier for network managers to watch the connections and take measures to prevent attacks. However, consolidation also means a successful attack could be more crippling because there will be fewer conduits of data into or out of the agencies. Meanwhile, much of the attention given to the IPv6 initiative has centered on the June 30 target for upgrading agency network backbones to run the protocol. But agencies should prepare for the months and years after that target, which are going to be a time of continued change, members of another conference panel said. The June target asks only that agencies replace older network hardware with components compatible with the new protocol. Agencies don’t have to actually use it. Turning the new Internet backbone on for tests and then shutting it down would qualify as a measure of success. But as time passes, more applications using IPv6 will emerge, and agencies will begin to implement them. To those responsible for planning the transition to IPv6, the panelists recommended using infrastructure segment architecture, a subset of enterprise architecture that maps only one aspect of an agency’s business operations.  “It’s important to use that as a tool to plan holistically,” said Kshmendra Paul, chief architect of OMB’s Office of E-Government and IT. “It’s not that it’s additional work. It’s a coordinating function. Agencies are already doing the work.”Networx vendors — the prime contractors and their partners — will be among the chief suppliers of the applications that will make IPv6 worthwhile, said Peter Tseronis, chairman of the Federal IPv6 Working Group. “It’s up to the agencies and the vendors supplying the agencies,” he said. “Those are the discussions that should be happening because June 30 is anticlimactic.”