Security and Privacy:
Protecting Your Agency and the Public as You Move into the Information Age
Seminar date: December 8, 1999

Industry sponsors of the seminar

 


Digital Signature Trust Co.


International Business Machines Corporation


AXENT Technologies, Inc.

 

 

  

Federal IT Security--The New Day Dawns

 
  by Robert Green
Special to GCN
   
 

Citing new IT security assets, federal and industry experts told a recent meeting in Washington they are ready to jump a major hurdle standing between agencies and the robust e commerce capabilities fueling the free market Internet boom.

The new assets for better security generally take the form of contracts for public key infrastructure (PKI) security methods. PKI and related encryption-type technologies are already broadly used by banks and financial companies, online retailers, Internet portals, and the so-called "dot coms" that dominate the soaring online economy.

The government's PKI "buy in" has lagged but will blossom as at least three new programs are fully instituted across agencies, said speakers at the conference on "Security and Privacy." The conference was held on December 8 and presented by the Council for Excellence in Government, the Digital Government Institute and GCN.

The new contracts include:

  • the Defense Department's Interim External Certificate Authority (IECA), expected to greatly close the electronic gap between DOD and its universe of contractors;
  • the General Services Administration's "Safeguard" program BPA, giving critical infrastructure IT managers a new avenue for pitting a full range of security services and systems against the possibility of catastrophic events;
  • and, perhaps most significantly, the GSA's finally realized ACES contract for the use of government-standard digital certificates, the baseline PKI element that makes millions of daily online transactions routine in the overall Internet economy already.

ACES 'Sweeps'
"I think ACES could have sweeping impact in terms of how agencies do business," said Keren Cummins, a former Commerce Department IT leader, now the ACES program manager for Digital Signature Trust Co., one of three providers of digital certificate-related ACES services to GSA.
GSA officials will be putting the three ACES contractors through final acceptance tests this month and plan to have the contract running full-bore by the end of January. One agency activity within the National Institutes of Health has already submitted a task order under ACES, though many more will follow, officials have said.

ACES gives both the federal contractor community and the public a way of establishing secure transactional relationships with agencies via the digital certificate/authentication method of public-private key encryption technology via what are called "CERTs."

From the user standpoint, Cummins said that CERTs will be as significant as credit cards and might similarly evolve as acceptance grows.

The first ACES tasks probably will be fashioned to serve direct Internet-based business connections, "like the Texaco or Exxon card we all used to carry," Cummins said. But she thinks CERTs will eventually broaden to give contractors and citizens a "one-certificate-fits-all" link across the government--"like a Visa card that you can use most anywhere."

More Security
The acceptance of PKI in agencies will get a boost from ACES, said Brian Finan, federal account manager at Axent Technologies Inc., an IT security company. "But people need to have a better understanding of PKI's potential than they have now," he added.

PKI is a long-evolving security strategy that might make infrastructure demands on IT shops, added Chris Daley, federal market practice leader at IBM. These demands translate into budget worries for agency IT departments, who by and large have not been able to make security a line item in their IT budgets.

Daly noted that line items for the Y2K effort led to a system of "accountability" that made agencies a lot more effective in fixing date codes. Finan said that beefing up the budget for security will probably require that federal IT staff persuade superiors that "good security is an investment."

Follow the Money
Agencies have no choice but to make the investment. According to recent reports, the federal government has spent $7.6 billion on Internet-related technology in 1999. Next year, the estimate is $10.6 billion, and by 2003 the expenditure will be $25.2 billion, with spending growth put at 56 percent per year.

A small though significant part of that expenditure is encompassed by DOD's IECA certificates program, which recently began running as an interim method for contractors to obtain both digital authentication and digital signature certificates. In fall 2000, DOD expects to make the "encryption key"-based system a permanent platform for securing its Internet business.

IECA has been called a critical component in DOD's long-standing effort to convert from manual contracting processes and also from more expensive private network-based processes to the more cost-effective public 'Net.

A Safeguarded Infrastructure
A number of speakers at the conference detailed the distinctions between government and the private sector where security and privacy are concerned--noting that government's job goes well beyond purely commercial factors.

In fact, the federal security effort remains only partly in the Internet sector of IT technology. The so-called "mission critical" areas are more often operating on dedicated platforms that combine modern IT systems with crucial infrastructure resources such as utility and power plants, transportation facilities, comm centers, etc. said Andy Fried, a Treasury Department leader in the effort to implement Presidential Decision Directive 63.

PDD-63 requires each agency to protect its information infrastructure against unconventional cyber threats. The GSA "Safeguard" blanket purchase agreement gives agencies access to a full range of technologies and services that only begin with PKI but include anti-virus, cryptography, firewalls, secure servers, plus tools for assessing risk, planning, designing, implementing and managing full-scale security projects and systems.

IBM Corp. is one of the prime contractors under the ambitious BPA, which was launched in May. Axent Technologies and Digital Signature Trust are Safeguard subcontractors.

The three companies sponsored the December conference, at which speakers from the Reeder Group, SANS Institute, Central Intelligence Agency, ICSA.net, GTE Cybertrust Solutions, Treasury and Justice departments, and the Office of Management and Budget addressed a wide variety of security and privacy topics.

A full account of the December 8 "Security and Privacy" Technology Excellence in Government conference will appear in a special GCN supplement in February.
   
Organized and presented by:

Government
Computer News

Digital
Government Institute

The Council For
Excellence In Government
   
Co-pesented by:

Federation Of Government
Information Processing Councils

Federal Web
Managers Institute, GSA

FedWorld Information Technologies/NTIS/DOC
     
     
TEG Home  

GCN | S&L | Shopper | CSG | E-mail | Search


GOVERNMENT COMPUTER NEWS
Copyright © 1999 by Post-Newsweek Business Information, Inc.,
a division of the Washington Post company.
All rights reserved.