Title: Critical Infrastructure Coordination Group CICG Meeting 5th Floor
1General Services Administration Federal
Technology Service Office of Information
Security Information Assurance Solutions
2Overview
- Presidential Decision Directive 63
- FTS Safeguard Program
- ACES
- FedCIRC
- FIDNet
3Presidential Decision Directive 63
- Calls for a National-Level effort to assure the
security of the increasingly vulnerable and
interconnected infrastructures of the United
States to include - Telecommunications
- Banking and Finance
- Energy
- Transportation
- Essential Government Services
4Helping with the Challenge
- National Coordinator for Security, Infrastructure
Protection and Counter-Terrorism. - National Infrastructure Protection Center
- Critical Infrastructure Assurance Office
- Information Sharing and Analysis Centers
5Infrastructure Assurance Goals
- Establish public-private sector partnership to
make identification of critical
interdependencies. - Establish a National Infrastructure Assurance
Plan between Government and industry partners. - Provide a wide range of solution sets to
strengthen our nations defenses against emerging
unconventional threats.
6Infrastructure Assurance Goals Cont.
- Develop robust intelligence and law enforcement
capabilities to protect critical information
systems consistent with the law. - Develop outreach programs for improved
cyber-security awareness. - Assure the protection of Privacy and Civil
liberties
7Agency Baselines
- Identify Critical Systems and Infrastructures
- Develop Clear Understanding of Mandates
- Inventory and Audit Existing Capability
- Highlight Critical Initiatives
- Develop an Agency Roadmap
- Identify Major Actions and Milestones
8Organizational Initiatives
- Establish an Information Assurance Management
Group - Develop an Evolutionary Planning Process
- Complete Vulnerability Assessments Based on
Risk Management Model - Implement IT Security Education, Training
and Awareness Program - Ensure Linkage to IT Capital Planning and
Budget Process - Critical
9Build a Security Infrastructure
- Security Architecture
- Configuration Management
- Public Key Infrastructure
- Virtual Private Networks
- Enablers - Certificates/Digital Signatures
- Intrusion Detection Tools
10Some Quick Hits
- Complete Outside Analysis/Assessment
- Red Team - Broad Based
- Identifies Scope/Nature of Problem
- Base Line for Follow-on Analysis
- Establish Password Management Program
- Patch Known Vulnerabilities
- Follow Existing Security Guidance
- Report Incidents to FedCIRC
11FTS Safeguard Program
- In support of Presidential Decision Directive 63
- Provides a full range of professional services
and unique products.
12Client Benefits
- Cost Effective Security Solutions
- Rapid Response
- Multiple Industry Partners with Diverse
Capabilities - Available Worldwide to Federal Government Users
13Safeguard Solutions
- Critical Infrastructure Asset Identification
- Vulnerability Assessment and Threat
Identification - CIP Readiness and Contingency Planning
- Physical Infrastructure Protection
- Information Systems Security and Information
Assurance Services - Emergency Preparedness Training, Exercises and
Simulation
14Safeguard Industry Partners The twenty seven
industry partners on the Safeguard BPA are
recognized leaders in the field of security
assurance
- Kajax Engineering
- KPMG LLP
- LE Associates
- Litton/PRC
- Litton/TASC
- Lockheed Martin
- Logicon
- SAIC
- SRA International
- STG
- Telos
- Trident Data Systems
- TRW
- Unisys
- Anteon
- Analytical Systems Engineering
- BBN
- Booz-Allen Hamilton
- CACI
- Collins Consulting Group
- Computer Sciences Corp.
- Electronic Data Systems
- Electronic Warfare Associates
- GRC International
- GTE Government Systems
- Intermetrics
- IMB
15Two Ways to Use Safeguard
- Direct Order
- Procurement Authority Delegated to Agency
- Task Management by the Office of Information
Security - Experienced INFOSEC Specialists
- Cleared to Top Secret/Special Access
- Trusted Neutral Party
- Rapid Response
- GSA Information Technology (IT) Fund
16Access Certificates for Electronic Services
(ACES)
- The Problem
- Privacy concerns dictate the need for the Federal
Governments particular diligence in identifying
the individual requesting information or
services.
17The Concept
- ACES provides the American Public secure
electronic access to privacy related Federal
Government information and services through the
use of public key technology.
18Features
- ACES provides a Government-wide public key
infrastructure with strong authentication using
identity-based digital signature certificates.
The ACES PKI offers - Identity Proofing
- Certificate Issuance
- On-Line Validation
- Certificate Management
- Optional Hardware Tokens
- Supplemental PKI Services
19Industry Partners
ABAecom, America Online, Baltimore Technologies,
Booz-Allen Hamilton, Computer Sciences Corp.
(CSC), Cygnacom Solutions, Entrust, Microsoft,
Netscape National Computer Systems, Price
Waterhouse Coopers, Valicert Inc., Xcert
International Inc.
Verisign, Inc.
Cygnacom Solutions, DataKey, Litronics, nCipher,
Netscape
20Liability
- Common-sense approach
- Contractual Requirement under Section H
- Protected under the Federal Tort Claims Act
- Case Law is non-existent
- Third Party Liability
- Will be set by case law
21Defining Need
- ACES provides strong authentication using
identity-based digital signature certificates. - Agencies should consider the need for such strong
authentication when deciding which on line
applications need ACES protection. - Five categories of Government to Public
communications have been identified by OMB that
could require this strong authentication.
22Five CategoriesRequiring Strong Authentication
- Benefits
- Grants
- Filings
- Personal/Private/Proprietary Information
- Procurement
23Federal Computer Incident Response Capability
(FedCIRC)
- GOALS
- Cooperation Among Federal Agencies
- Prevention
- Detection
- Binding Recovery Incidents
- Communication of Alert Advisory Information
- Augment Incident Response Capabilities of
Federal Agencies - Sharing of Security-Related Information, Tools,
and Techniques
24Baseline Services - Incident Response
- Incident Reporting
- Telephone Hotline 24x7
- Electronic Mail
- Facsimile
- Incident Handling
- Conduct triage and analysis
- Provide containment and recovery assistance,
incident coordination and analysis - Augment existing agency emergency response
capability
25Baseline Services - Prevention Recognition
- Security Bulletins, Advisories, Links to Analysis
Tools - Data collection
- Data warehousing and dissemination
- Links to security tools
- Vulnerability fixes
- Competency Development
- Web based instruction and development
- Course development
- Information updates
26Collaborative Agreements
- FedCIRC Operational Partner
- Carnegie Mellon CERT/CC
- Existing Incident Response Teams
- Federal Departments and Agencies
27How can FedCIRC help you and your agency?
- Coordination with agencies for the effective
prevention, detection, containment, and recovery
from computer security incidents. - Provide alert and advisory information regarding
potential threats and emerging incidents
situations. - Assist in establishing or augmenting an incident
response capability. - Facilitate the dissemination of security-related
information, tools and techniques.
28Federal Intrusion Detection Network (FIDNet)
- Be a new capability--pilot proposal
- Probably more than current products/services
- Certainly more than just new sensors
- Incorporate current future RD
- Leverage technical development(s)
- Include personnel development
- Work as one with FedCIRC
- Analyze correlate IDS output
- Not usurp agency autonomy
29Example Network Security Mgmt
304 Levels of Data Flow
31Proposed FIDNet Architecture4 Distinct Levels of
Data Flow
Level 0
Level 1
Level 2
Level 3
32Points of Contact
- FedCIRC
- www.fedcirc.gov
- For Information
- Tel 202-708-5060
- Fax 202-708-5869
- Emailfedcirc-info_at_fedcirc.gov
- For Incident Response
- Tel 1-888-282-0870
- Fax 412-268-6989
- Emailfedcirc_at_fedcirc.gov
- FIDNET
- Program Manager - Darwyn Banks
- Tel 202-708-6543
- Safeguard Program
- www.fts.gsa.gov/safeguard
- Program Manager - Richard Krauss
- Tel 202-708-7531
- Business Development - Ron Mock
- Tel 202-708-9942
- Contracting - Thomas Robel
- Tel 202-708-7650
- ACES
- www.gsa.gov/aces
- Program Manager - Stan Choffrey
- Tel 202-708-7943
- Contracting Officer - Jeanne Davis
- Tel 781-860-7138
Office of Information Security (202) 708-7000 -
www.fts.gsa.gov/infosec