E N D
3. Presidential Decision Directive 63 Calls for a National-Level effort to assure the security of the increasingly vulnerable and interconnected infrastructures of the United States to include:
Telecommunications
Banking and Finance
Energy
Transportation
Essential Government Services
4. Helping with the Challenge National Coordinator for Security, Infrastructure Protection and Counter-Terrorism.
National Infrastructure Protection Center
Critical Infrastructure Assurance Office
Information Sharing and Analysis Centers - The National Coordinator for Security, Infrastructure Protection and Counter Terrorism is responsible for coordinating the implementation of PDD-63 and serves as the Executive Director to the National Infrastructure Assurance Council.
- The NIPC serves as a national critical infrastructure threat assessment, warning, vulnerability and law enforcement, investigation and response entity.
- The CIAO supports the National Coordinator, the development of the National Plan, and analyses of the Governments own dependencies on critical infrastructure. The CIAO also helps coordinate a national education and awareness programs and legislative issues.
The ISACs will serve as mechanisms for gathering, analyzing, appropriately sanitizing and disseminating private sector information to both industry and the NIPC.- The National Coordinator for Security, Infrastructure Protection and Counter Terrorism is responsible for coordinating the implementation of PDD-63 and serves as the Executive Director to the National Infrastructure Assurance Council.
- The NIPC serves as a national critical infrastructure threat assessment, warning, vulnerability and law enforcement, investigation and response entity.
- The CIAO supports the National Coordinator, the development of the National Plan, and analyses of the Governments own dependencies on critical infrastructure. The CIAO also helps coordinate a national education and awareness programs and legislative issues.
The ISACs will serve as mechanisms for gathering, analyzing, appropriately sanitizing and disseminating private sector information to both industry and the NIPC.
5. Infrastructure Assurance Goals Establish public-private sector partnership to make identification of critical interdependencies.
Establish a National Infrastructure Assurance Plan between Government and industry partners.
Provide a wide range of solution sets to strengthen our nations defenses against emerging unconventional threats.
6. Develop robust intelligence and law enforcement capabilities to protect critical information systems consistent with the law.
Develop outreach programs for improved cyber-security awareness.
Assure the protection of Privacy and Civil liberties
7. Agency Baselines Identify Critical Systems and Infrastructures
Develop Clear Understanding of Mandates
Inventory and Audit Existing Capability
Highlight Critical Initiatives
Develop an Agency Roadmap
Identify Major Actions and Milestones
8. Organizational Initiatives Establish an Information Assurance Management Group
Develop an Evolutionary Planning Process
Complete Vulnerability Assessments Based on Risk Management Model
Implement IT Security Education, Training and Awareness Program
Ensure Linkage to IT Capital Planning and Budget Process - Critical
9. Build a Security Infrastructure Security Architecture
Configuration Management
Public Key Infrastructure
Virtual Private Networks
Enablers - Certificates/Digital Signatures
Intrusion Detection Tools
10. Some Quick Hits Complete Outside Analysis/Assessment
Red Team - Broad Based
Identifies Scope/Nature of Problem
Base Line for Follow-on Analysis
Establish Password Management Program
Patch Known Vulnerabilities
Follow Existing Security Guidance
Report Incidents to FedCIRC
11. FTS Safeguard Program In support of Presidential Decision Directive 63
Provides a full range of professional services and unique products.
12. Client Benefits Cost Effective Security Solutions
Rapid Response
Multiple Industry Partners with Diverse Capabilities
Available Worldwide to Federal Government Users
The goal is to combat cyber crime and strengthen the Nations defenses against emerging, unconventional threats to our critical information systems.
The Safeguard program can help by assisting Federal agencies in developing plans and solutions for critical information infrastructure protection.
Safeguard can provide customer agencies with a full range of professional infrastructure assurance services and unique products.
The available services include everything from continuity and contingency planning to protecting an agencys physical infrastructure. The goal is to combat cyber crime and strengthen the Nations defenses against emerging, unconventional threats to our critical information systems.
The Safeguard program can help by assisting Federal agencies in developing plans and solutions for critical information infrastructure protection.
Safeguard can provide customer agencies with a full range of professional infrastructure assurance services and unique products.
The available services include everything from continuity and contingency planning to protecting an agencys physical infrastructure.
13. Safeguard Solutions Critical Infrastructure Asset Identification
Vulnerability Assessment and Threat Identification
CIP Readiness and Contingency Planning
Physical Infrastructure Protection
Information Systems Security and Information Assurance Services
Emergency Preparedness Training, Exercises and Simulation
14. Safeguard Industry Partners* The twenty seven industry partners on the Safeguard BPA are recognized leaders in the field of security assurance Anteon
Analytical Systems Engineering
BBN
Booz-Allen & Hamilton
CACI
Collins Consulting Group
Computer Sciences Corp.
Electronic Data Systems
Electronic Warfare Associates
GRC International
GTE Government Systems
Intermetrics
IMB Kajax Engineering
KPMG LLP
L&E Associates
Litton/PRC
Litton/TASC
Lockheed Martin
Logicon
SAIC
SRA International
STG
Telos
Trident Data Systems
TRW
Unisys
In FY 1999, FTS awarded 27 Blanket Purchase Agreements under Safeguard.
While there are other contracts with information assurance services available, Safeguard is the only program focusing specifically on PDD-63.
This plus the fact that it is a GSA contract designed to be flexible and easy-to-use make it very attractive to agencies that are concerned with critical infrastructure protection and struggling to comply with the directive as quickly as they can.
The BPAs are open to all Federal Agencies and multiple ordering options are available to meet your needs. In FY 1999, FTS awarded 27 Blanket Purchase Agreements under Safeguard.
While there are other contracts with information assurance services available, Safeguard is the only program focusing specifically on PDD-63.
This plus the fact that it is a GSA contract designed to be flexible and easy-to-use make it very attractive to agencies that are concerned with critical infrastructure protection and struggling to comply with the directive as quickly as they can.
The BPAs are open to all Federal Agencies and multiple ordering options are available to meet your needs.
15. Two Ways to Use Safeguard Direct Order
Procurement Authority Delegated to Agency
Task Management by the Office of Information Security
Experienced INFOSEC Specialists
Cleared to Top Secret/Special Access
Trusted Neutral Party
Rapid Response
GSA Information Technology (IT) Fund
16. Access Certificates for Electronic Services (ACES) The Problem
Privacy concerns dictate the need for the Federal Governments particular diligence in identifying the individual requesting information or services.
ACES is a major milestone in the governments ability to provide the necessary security technology to enable our electronic processes.
ACES provides the public and government with the ability to do business together electronically and securely.
Invaluable as we continue our move into the Internet environment as a means of doing business
ACES is a major milestone in the governments ability to provide the necessary security technology to enable our electronic processes.
ACES provides the public and government with the ability to do business together electronically and securely.
Invaluable as we continue our move into the Internet environment as a means of doing business
17. The Concept ACES provides the American Public secure electronic access to privacy related Federal Government information and services through the use of public key technology.
18. Features ACES provides a Government-wide public key infrastructure with strong authentication using identity-based digital signature certificates. The ACES PKI offers:
Identity Proofing
Certificate Issuance
On-Line Validation
Certificate Management
Optional Hardware Tokens
Supplemental PKI Services
The ACES PKI is a flexible government PKI with a host of available features and services to meet the unique needs and requirements of individual Government Agencies.
There is no cost to the Public using the ACES model.
ACES has the potential to reduce overall costs by aggregating government requirements.
The ACES PKI is a flexible government PKI with a host of available features and services to meet the unique needs and requirements of individual Government Agencies.
There is no cost to the Public using the ACES model.
ACES has the potential to reduce overall costs by aggregating government requirements.
19. Industry Partners In FY 1999, FTS awarded a contract for services that will use public key infrastructure certificates as the enabling technology to provide end-to-end security of electronic information for the citizen and the Government.
ACES is a multiple award schedule contract for registration and certificate authority services.
Contract is for 3 base years + a 3-year option
The ACES Industry Partners are leaders in the field of PKI
In September, FTS made the first ACES award to Digital Signature Trust Company of Salt Lake City.
A second award was made to a minority owned 8(a) company, Operational Research Consultants (ORC) of Chesapeake, VA.
Our most recent award went to AT&T.
NIH was the first to enter into an inter-agency agreement with FTS for PKI services under the ACES contract. In FY 1999, FTS awarded a contract for services that will use public key infrastructure certificates as the enabling technology to provide end-to-end security of electronic information for the citizen and the Government.
ACES is a multiple award schedule contract for registration and certificate authority services.
Contract is for 3 base years + a 3-year option
The ACES Industry Partners are leaders in the field of PKI
In September, FTS made the first ACES award to Digital Signature Trust Company of Salt Lake City.
A second award was made to a minority owned 8(a) company, Operational Research Consultants (ORC) of Chesapeake, VA.
Our most recent award went to AT&T.
NIH was the first to enter into an inter-agency agreement with FTS for PKI services under the ACES contract.
20. Liability Common-sense approach
Contractual Requirement under Section H
Protected under the Federal Tort Claims Act
Case Law is non-existent
Third Party Liability
Will be set by case law
21. Defining Need ACES provides strong authentication using identity-based digital signature certificates.
Agencies should consider the need for such strong authentication when deciding which on line applications need ACES protection.
Five categories of Government to Public communications have been identified by OMB that could require this strong authentication.
22. Five CategoriesRequiring Strong Authentication Benefits
Grants
Filings
Personal/Private/Proprietary Information
Procurement
23. Federal Computer Incident Response Capability (FedCIRC) GOALS
Cooperation Among Federal Agencies
Prevention
Detection
Binding & Recovery Incidents
Communication of Alert & Advisory Information
Augment Incident Response Capabilities of Federal Agencies
Sharing of Security-Related Information, Tools, and Techniques
24. Incident Reporting
Telephone Hotline 24x7
Electronic Mail
Facsimile
Incident Handling
Conduct triage and analysis
Provide containment and recovery assistance, incident coordination and analysis
Augment existing agency emergency response capability Baseline Services - Incident Response
25. Security Bulletins, Advisories, Links to Analysis Tools
Data collection
Data warehousing and dissemination
Links to security tools
Vulnerability fixes
Competency Development
Web based instruction and development
Course development
Information updates Baseline Services - Prevention & Recognition
26. Collaborative Agreements FedCIRC Operational Partner
Carnegie Mellon CERT/CC
Existing Incident Response Teams
Federal Departments and Agencies
27. How can FedCIRC help you and your agency? Coordination with agencies for the effective prevention, detection, containment, and recovery from computer security incidents.
Provide alert and advisory information regarding potential threats and emerging incidents situations.
Assist in establishing or augmenting an incident response capability.
Facilitate the dissemination of security-related information, tools and techniques.
28. Federal Intrusion Detection Network (FIDNet) Be a new capability--pilot proposal
Probably more than current products/services
Certainly more than just new sensors
Incorporate current & future R&D
Leverage technical development(s)
Include personnel development
Work as one with FedCIRC
Analyze & correlate IDS output
Not usurp agency autonomy
Interoperability
Flexibility
Adaptability
Extensibility
Interoperability
Flexibility
Adaptability
Extensibility
29. Example Network Security Mgmt
30. 4 Levels of Data Flow This is why GSA. FBI cannot legally do Level 1
IBM ERS statistic analysis
Raise the bar by better correlation of IDS outputThis is why GSA. FBI cannot legally do Level 1
IBM ERS statistic analysis
Raise the bar by better correlation of IDS output
31. Proposed FIDNet Architecture4 Distinct Levels of Data Flow PRIVACY CONCERNS as mapped to lvls of data flowPRIVACY CONCERNS as mapped to lvls of data flow
32. Points of Contact Safeguard Program
www.fts.gsa.gov/safeguard
Program Manager - Richard Krauss
Tel: 202-708-7531
Business Development - Ron Mock
Tel: 202-708-9942
Contracting - Thomas Robel
Tel: 202-708-7650
ACES
www.gsa.gov/aces
Program Manager - Stan Choffrey
Tel: 202-708-7943
Contracting Officer - Jeanne Davis
Tel: 781-860-7138
FedCIRC
www.fedcirc.gov
For Information
Tel: 202-708-5060
Fax: 202-708-5869
Email:fedcirc-info@fedcirc.gov
For Incident Response
Tel: 1-888-282-0870
Fax: 412-268-6989
Email:fedcirc@fedcirc.gov
FIDNET
Program Manager - Darwyn Banks
Tel: 202-708-6543