Critical Infrastructure Coordination Group CICG Meeting 5th Floor

1
General Services Administration Federal
Technology Service Office of Information
Security Information Assurance Solutions
2
Overview

• Presidential Decision Directive 63
• FTS Safeguard Program
• ACES
• FedCIRC
• FIDNet

3
Presidential Decision Directive 63

• Calls for a National-Level effort to assure the
  security of the increasingly vulnerable and
  interconnected infrastructures of the United
  States to include
• Telecommunications
• Banking and Finance
• Energy
• Transportation
• Essential Government Services

4
Helping with the Challenge

• National Coordinator for Security, Infrastructure
  Protection and Counter-Terrorism.
• National Infrastructure Protection Center
• Critical Infrastructure Assurance Office
• Information Sharing and Analysis Centers

5
Infrastructure Assurance Goals

• Establish public-private sector partnership to
  make identification of critical
  interdependencies.
• Establish a National Infrastructure Assurance
  Plan between Government and industry partners.
• Provide a wide range of solution sets to
  strengthen our nations defenses against emerging
  unconventional threats.

6
Infrastructure Assurance Goals Cont.

• Develop robust intelligence and law enforcement
  capabilities to protect critical information
  systems consistent with the law.
• Develop outreach programs for improved
  cyber-security awareness.
• Assure the protection of Privacy and Civil
  liberties

7
Agency Baselines

• Identify Critical Systems and Infrastructures
• Develop Clear Understanding of Mandates
• Inventory and Audit Existing Capability
• Highlight Critical Initiatives
• Develop an Agency Roadmap
• Identify Major Actions and Milestones

8
Organizational Initiatives

• Establish an Information Assurance Management
  Group
• Develop an Evolutionary Planning Process
• Complete Vulnerability Assessments Based on
  Risk Management Model
• Implement IT Security Education, Training
  and Awareness Program
• Ensure Linkage to IT Capital Planning and
  Budget Process - Critical

9
Build a Security Infrastructure

• Security Architecture
• Configuration Management
• Public Key Infrastructure
• Virtual Private Networks
• Enablers - Certificates/Digital Signatures
• Intrusion Detection Tools

• A-130

10
Some Quick Hits

• Complete Outside Analysis/Assessment
• Red Team - Broad Based
• Identifies Scope/Nature of Problem
• Base Line for Follow-on Analysis
• Establish Password Management Program
• Patch Known Vulnerabilities
• Follow Existing Security Guidance
• Report Incidents to FedCIRC

11
FTS Safeguard Program

• In support of Presidential Decision Directive 63
• Provides a full range of professional services
  and unique products.

12
Client Benefits

• Cost Effective Security Solutions
• Rapid Response
• Multiple Industry Partners with Diverse
  Capabilities
• Available Worldwide to Federal Government Users

13
Safeguard Solutions

• Critical Infrastructure Asset Identification
• Vulnerability Assessment and Threat
  Identification
• CIP Readiness and Contingency Planning
• Physical Infrastructure Protection
• Information Systems Security and Information
  Assurance Services
• Emergency Preparedness Training, Exercises and
  Simulation

14
Safeguard Industry Partners The twenty seven
industry partners on the Safeguard BPA are
recognized leaders in the field of security
assurance

• Kajax Engineering
• KPMG LLP
• LE Associates
• Litton/PRC
• Litton/TASC
• Lockheed Martin
• Logicon
• SAIC
• SRA International
• STG
• Telos
• Trident Data Systems
• TRW
• Unisys

• Anteon
• Analytical Systems Engineering
• BBN
• Booz-Allen Hamilton
• CACI
• Collins Consulting Group
• Computer Sciences Corp.
• Electronic Data Systems
• Electronic Warfare Associates
• GRC International
• GTE Government Systems
• Intermetrics
• IMB

15
Two Ways to Use Safeguard

• Direct Order
• Procurement Authority Delegated to Agency
• Task Management by the Office of Information
  Security
• Experienced INFOSEC Specialists
• Cleared to Top Secret/Special Access
• Trusted Neutral Party
• Rapid Response
• GSA Information Technology (IT) Fund

16
Access Certificates for Electronic Services
(ACES)

• The Problem
• Privacy concerns dictate the need for the Federal
  Governments particular diligence in identifying
  the individual requesting information or
  services.

17
The Concept

• ACES provides the American Public secure
  electronic access to privacy related Federal
  Government information and services through the
  use of public key technology.

18
Features

• ACES provides a Government-wide public key
  infrastructure with strong authentication using
  identity-based digital signature certificates.
  The ACES PKI offers
• Identity Proofing
• Certificate Issuance
• On-Line Validation
• Certificate Management
• Optional Hardware Tokens
• Supplemental PKI Services

19
Industry Partners
ABAecom, America Online, Baltimore Technologies,
Booz-Allen Hamilton, Computer Sciences Corp.
(CSC), Cygnacom Solutions, Entrust, Microsoft,
Netscape National Computer Systems, Price
Waterhouse Coopers, Valicert Inc., Xcert
International Inc.
Verisign, Inc.
Cygnacom Solutions, DataKey, Litronics, nCipher,
Netscape
20
Liability

• Common-sense approach
• Contractual Requirement under Section H
• Protected under the Federal Tort Claims Act
• Case Law is non-existent
• Third Party Liability
• Will be set by case law

21
Defining Need

• ACES provides strong authentication using
  identity-based digital signature certificates.
• Agencies should consider the need for such strong
  authentication when deciding which on line
  applications need ACES protection.
• Five categories of Government to Public
  communications have been identified by OMB that
  could require this strong authentication.

22
Five CategoriesRequiring Strong Authentication

• Benefits
• Grants
• Filings
• Personal/Private/Proprietary Information
• Procurement

23
Federal Computer Incident Response Capability
(FedCIRC)

• GOALS
• Cooperation Among Federal Agencies
• Prevention
• Detection
• Binding Recovery Incidents
• Communication of Alert Advisory Information
• Augment Incident Response Capabilities of
  Federal Agencies
• Sharing of Security-Related Information, Tools,
  and Techniques

24
Baseline Services - Incident Response

• Incident Reporting
• Telephone Hotline 24x7
• Electronic Mail
• Facsimile
• Incident Handling
• Conduct triage and analysis
• Provide containment and recovery assistance,
  incident coordination and analysis
• Augment existing agency emergency response
  capability

25
Baseline Services - Prevention Recognition

• Security Bulletins, Advisories, Links to Analysis
  Tools
• Data collection
• Data warehousing and dissemination
• Links to security tools
• Vulnerability fixes
• Competency Development
• Web based instruction and development
• Course development
• Information updates

26
Collaborative Agreements

• FedCIRC Operational Partner
• Carnegie Mellon CERT/CC
• Existing Incident Response Teams
• Federal Departments and Agencies

27
How can FedCIRC help you and your agency?

• Coordination with agencies for the effective
  prevention, detection, containment, and recovery
  from computer security incidents.
• Provide alert and advisory information regarding
  potential threats and emerging incidents
  situations.
• Assist in establishing or augmenting an incident
  response capability.
• Facilitate the dissemination of security-related
  information, tools and techniques.

28
Federal Intrusion Detection Network (FIDNet)

• Be a new capability--pilot proposal
• Probably more than current products/services
• Certainly more than just new sensors
• Incorporate current future RD
• Leverage technical development(s)
• Include personnel development
• Work as one with FedCIRC
• Analyze correlate IDS output
• Not usurp agency autonomy

29
Example Network Security Mgmt
30
4 Levels of Data Flow
31
Proposed FIDNet Architecture4 Distinct Levels of
Data Flow
Level 0
Level 1
Level 2
Level 3
32
Points of Contact

• FedCIRC
• www.fedcirc.gov
• For Information
• Tel 202-708-5060
• Fax 202-708-5869
• Emailfedcirc-info_at_fedcirc.gov
• For Incident Response
• Tel 1-888-282-0870
• Fax 412-268-6989
• Emailfedcirc_at_fedcirc.gov
• FIDNET
• Program Manager - Darwyn Banks
• Tel 202-708-6543

• Safeguard Program
• www.fts.gsa.gov/safeguard
• Program Manager - Richard Krauss
• Tel 202-708-7531
• Business Development - Ron Mock
• Tel 202-708-9942
• Contracting - Thomas Robel
• Tel 202-708-7650
• ACES
• www.gsa.gov/aces
• Program Manager - Stan Choffrey
• Tel 202-708-7943
• Contracting Officer - Jeanne Davis
• Tel 781-860-7138

Office of Information Security (202) 708-7000 -
www.fts.gsa.gov/infosec