CIO Council goes on offense
With time running out before the new fiscal year begins, the CIO Council plans to issue two memorandums within the next two weeks to agencies and Congress that urge putting in place policies that would better secure government computers.
With time running out before the new fiscal year begins, the CIO Council
plans to issue two memorandums within the next two weeks to agencies and
Congress that urge putting in place policies that would better secure government
computers.
One memo will require agencies to establish a relationship with the
Federal Computer Incident Response Capability (FedCIRC), which disseminates
information about and coordinates responses to cyberattacks across civilian
agencies. The other will be an open letter to Congress — but aimed at the
appropriations committees — emphasizing the importance of funding cross-government
security initiatives in the 2001 budget.
The council wants to issue the memos, especially the plea for more
security funding, as soon as possible to take advantage of the time left
before the next fiscal year begins Oct. 1, officials said.
"If we don't get [the funding memo] out in the next week or so, we lose
a lot of the opportunity" to secure funding, said John Gilligan, co-chairman
of the security committee and Energy Department CIO. Congress returns from
recess after Labor Day and will be pressured to finish up the appropriations
bills so that members can return home to campaign.
The memo to Congress will request that the appropriations committees
support about $40 million in security initiatives, including FedCIRC, a
team of security experts at the National Institute of Standards and Technology
that will serve as a resource to all agencies, and continued leadership
from the Treas- ury Department for governmentwide public-key infrastructure
efforts.
The council wants members of the appropriations committees to understand
that the funding choices they make will affect many more agencies than just
the ones that each committee has authority over. Attached to the memo will
be a host of supporting examples and explanations as to why a single agency
is taking action on behalf of the rest of government and the ramifications
of not receiving funding, Gilligan said.
A lack of funding so far from the appropriations committees has been
the No. 1 topic at many gatherings of government security professionals,
said Dave Jarrell, program manager of FedCIRC at the General Services Administration.
Many agency officials have become frustrated and see this memo kick-starting
their efforts again. "It will get the attention of all the agencies if and
when Congress takes notice and starts funding these initiatives," he said.
"I think that this is going to be a crucial step."
The money sought for FedCIRC also will support the second memo the council
plans to issue, which sets the stage for full dissemination of information
and response to cyberattacks across government and within each agency.
This memo requires agencies to link into the FedCIRC network to ensure
that every agency receives warnings, software patches and other information
from the organization and also to ensure that agencies report any anomalous
incidents back to FedCIRC. That will provide a full view of incidents across
government.
"We're trying to get people to look at the bigger picture," Jarrell
said. "We want people to realize that if they have a piece of information,
it may be of little significance to them, but it may be of great significance
to the government."
The memo also requires agencies to establish a formal process for disseminating
FedCIRC information throughout their organizations and reporting to FedCIRC
that information has been distributed. This will shorten the time it takes
for agencies to coordinate responses to attacks and is key for incidents
like the "ILOVEYOU" virus, where "minutes made a difference," Gilligan said.
With the two memos, the council, FedCIRC and the other government security
organizations are trying to instill procedures that will change the culture
of government and raise awareness of the steps that must be taken to keep
their agencies secure. "We have to get people into the habit of embedding
security in their daily practices so that they're not even thinking about
it," Jarrell said.
NEXT STORY: Army fine-tunes missile defense C3