3 March 1998
Source:
http://www.senate.gov/~commerce/press/105-180.htm
U.S. Senate Committee on Commerce, Science and Transportation
FOR IMMEDIATE RELEASE
WEDNESDAY, FEBRUARY 4, 1998
105-180
Contact: Pia Pialorsi (202) 224-2670
Margaret Camp (202) 224-5401
WASHINGTON, D.C. -- Senator John McCain (R-AZ), Chairman of the Committee on Commerce, Science, and Transportation, and Senator Bill Frist (R-TN), Chairman of the Science, Technology, and Space Subcommittee, today announced a hearing on Computer Security in the Federal Government. Members of the Subcommittee will examine current computer security vulnerabilities within civilian federal agencies and current activities to prevent unauthorized computer access.
The Subcommittee hearing will be held on Tuesday, February 10, at 2:30 pm, in room 253 Russell Senate Office Building. Senator Frist will preside.
Following is the tentative witness list (not necessarily in order of appearance):
Panel I
Mr. G. Edward DeSeve, Comptroller and Acting Deputy Director for Management,
Office of Management and Budget
Mr. Raymond Kammer, Director, National Institute of Standards and Technology
Panel II
Dr. Frank Perry, Assistant Deputy Director, Joint Interoperability Engineering
Organization, Defense Information Systems Agency, Department of Defense
Mr. Len Baptiste, Director of Systems Standards and
Evaluation, Internal Revenue Service
Mr. Lee Holcolmb, Chief Information Officer, National
Aeronautics and Space Administration
JYA Note: For remarks by Raymond G. Kammer on the cooperation between NIST and NSA not included in his prepared statement see: http://www.indigo-net.com/intel.html. Excerpt:
Kammer, who took up the job in November after serving for many years as NIST's deputy director, said he had personally gone to NSA following the implementation of the Computer Security Act in 1987 to sign a memorandum of understanding aimed at encouraging technical input from the NSA which specializes in electronic intelligence. "They're the best, they're really wonderful, they're good" he told the Senate panel in referring to NSA's staff. Kammer also pointed out the security risks of emanations from computer screens and keyboards and spoke about the need to shield computer rooms from the possibility the emanations would be intercepted.
Source: http://www.senate.gov/~commerce/hearings/210kam.htm
Thank you Mr. Chairman and members of the Committee for inviting me here today to testify on the critical issue of computer security. I am Ray Kammer, Director of the National Institute of Standards and Technology (NIST), a component of the Technology Administration at the Department of Commerce. NIST’s mission is to promote U.S. economic growth by working with industry to develop and apply technology, measurements and standards. In the computer and communications area, our Information Technology (IT) Laboratory provides technical leadership for the nation’s measurement and standards infrastructure for IT. One component of our IT Laboratory focuses exclusively on security issues. As requested in your invitation, it is the IT security work of NIST’s Computer Security Division that I would like to focus primarily upon today.
Let me commend the Committee for focusing on the issue of computer security. As you recognized in calling today’s hearing, security is a critical component necessary to meet the needs of both industry and government in achieving economic and social benefits from applications of IT, including in the important area of Electronic Commerce. Your hearing is also particularly timely given the recent report issued by the President’s Commission on Critical Infrastructure Protection highlighting security issues. I will not dwell on threats to computer systems, other than to note that they are wide-ranging and show no sign of diminishing. They include such threats and risks as: sabotage, loss of infrastructure support, malicious hacking, industrial and state-sponsored espionage, human error, fraud, and viruses as well as other types of malicious code.
NIST’s activities in the area of computer security address requirements of both the IT industry and federal agencies. Our industry customers include the vendors of general IT products as well as security-specific products. NIST’s responsibilities are specified in the Computer Security Act of 1987 (and were reinforced under the Clinger-Cohen Act, more formally known as the IT Management Reform Act of 1996). In addition, OMB’s Circular A-130 (Appendix III) expands on these and gives NIST a number of specific responsibilities in support of agency computer security efforts. Last, the Computer Systems Security and Privacy Advisory Board (CSSPAB), provides us with valuable input on emerging security issues and other matters.
Another recent development is the Federal Government’s concern over the security and robustness of the nation’s critical infrastructures, as these are increasingly dependent on information technology and computer networks such as the Internet. NIST computer security programs and expertise will help address problems involving these infrastructures.
NIST has developed a strategy that recognizes the essentially common security needs of the majority of government agencies and the private sector. In particular, we believe that the best way to provide security for Federal Government systems is to make maximum use of commercial products, services, standards and technology. NIST works with the private sector to foster the availability of high quality security products that may be used by both private sector and government organizations with confidence - thus achieving higher levels of security and interoperability for both. The NIST IT security program focuses on those technologies and needed infrastructures that will achieve these goals. Briefly, the key focus areas in the NIST IT security program are the following:
Security Criteria and Testing,
Internet and Network Security,
Cryptographic Technology and Applications,
Public Key Infrastructure, and
Security Management
These areas address some of the most critical issues facing organizations today as they expand their uses of computers and networks. By focusing on these key areas, NIST is able to leverage its unique expertise in standards and measurements to help both government and the private sector. Let me briefly discuss each.
The goal of our first focus area, Security Criteria and Testing, is to promote the development of objective criteria for testing and assessing the functionality and assurance of security technology and products. This is needed because, when it comes to security, organizations (including government) are looking for independent assurances that the security features of products indeed perform “as advertised.” Many of our activities in this area are being accomplished under our recently-announced “National Information Assurance Partnership” (NIAP). NIAP is a NIST/NSA-sponsored forum through which industry and government organizations can collaborate to develop security metrics, tests, test methods, tools, reference implementations, and protection profiles. These can then be used by independent, private sector testing laboratories to conduct product tests and certifications. It is important to note here that NIST does not intend to perform tests or product certification - only to help provide the necessary elements to support usable and credible formal test processes. In this way, government (and industry, to the extent it needs tested products) will be able to procure and deploy security technologies and products that have been independently tested. NIAP will also serve as the mechanism for mutual international recognition of evaluation tests conducted under the “Common Criteria” program, an internationally agreed upon means to specify security functionality and assurance so that tests for conformance can be conducted.
Because NIAP promotes the development of security product testing through independent, private sector laboratories, we hope that this will lead to the greater commercial availability of secure products for use in protecting government (and, again, to the extent needed, industry) information systems. NIAP also is laying out a course for transition of exiting government-conducted security product testing activities to commercial testing laboratories, thus supporting the development of an American IT testing industry which is commercially viable and sustainable.
Much of the work of NIAP is supported by the “Common Criteria” (CC), on which NIST has been working for some time. The goal of this effort is to provide a detailed technical specification which can be used to describe, with technical precision, the security functions of an application, security product, or system (which subsequently may undergo security testing). The CC also provides a means to specify a corresponding “assurance level” of a product, meaning, in effect, the degree of confidence one may have that a given product’s security features operate as specified. This will allow for a range of testing, from a fairly quick review, to an in-depth, technical product review. The degree of testing appropriate will, in part, be determined by the threat and risk environment (including the sensitivity of information) in which a given product is intended to operate.
The goal of our activities in the area of Internet and Network Security is to provide interoperable security capabilities across networks and user "domains.” What exactly does this mean? Many of the networks in existence today, notably the Internet, were not designed with security functionality in mind. A challenge that faces us today is how to migrate to new technology that provides for a higher level of security. One key area that NIST has focused on to accomplish this is to work with the Internet Engineering Task Force (IEFT) to develop the technical security protocols for use in the new version of the supporting network security protocols (known as “IPSec”). We have developed a security reference implementation, which will be widely distributed and can be used to test for interoperability by builders of IPSec products. IPSec provides for security services for both the currently-deployed Internet Protocol (IP) version 4 and the emerging IP version 6.
Another important activity that NIST has undertaken, particularly to address the needs of our federal customers, is the Federal Computer Incident Response Capability (FedCIRC). This is an initiative originated by NIST and made operational in October 1996, which helps address the need in the Federal Government for network incident response capabilities. FedCIRC provides, under NIST auspices and in collaboration with DOE's Computer Incident and Advisory Capability and Carnegie-Mellon University's Computer Emergency Response Center (CERT), a variety of subscription funded services such as site evaluation, incident handling services, access to incident and vulnerability advisories, and training opportunities.
Thanks to startup funding from the Government Information Technology Services (GITS) initiatives, we are able to provide 7-day-a-week, 24-hour-a-day service. To date, we have handled more than 75 incidents from the civilian side of government since we became operational. Additionally, we have fielded hundreds of other requests for information and assistance. Through its workshops and seminars, FedCIRC has trained over 1000 individuals on various aspects of computer security. In conjunction with other federal agencies, we are currently looking at ways to continue this important activity beyond that provided for by the initial one-time GITS start-up funding.
Our next focus area is Cryptographic Technology and Applications. The goal of our work in cryptography is to ensure the availability of high-quality cryptographic technology standards, tests, and application program interfaces to that technology. NIST’s work in cryptography focuses not only on core algorithm-based standards and associated conformance tests, but higher level standards and tests for the “modules” in which algorithms (and other cryptographic-related functions are implemented). Included at the algorithm level are such activities as our development of the Advanced Encryption Standard and our work with the American National Standards Institute (ANSI) on digital signature standards for RSA and Elliptic Curve techniques. At the module level, our work is focused in our Cryptographic Module Validation Program. I will briefly explain each of these in more detail.
Advanced Encryption Standard (AES). In January of last year, NIST announced that it would begin the process of working with the private sector on an Advanced Encryption Standard (AES). As you may know, the Data Encryption Standard (DES) has been the operative private sector standard, as well as formal government standard, for assuring the confidentiality of information for almost two decades. DES will continue to provide adequate levels of security for many applications for years to come. However, in an effort to look ahead, NIST has begun the work with the private sector on AES in anticipation that demand for the next generation of encryption standards will require a concerted, multi-year effort to evaluate, develop and build consensus towards acceptable long-term standards. We are pleased by the response of the private sector to this initiative, and we look forward to receiving candidate algorithms nominations by the mid-June deadline. Thereafter, we plan a series of public workshops and comment periods before selecting an algorithm for the AES.
Expanded Digital Signature Standard. NIST also has requested public comments on additional algorithms that the federal government may endorse to authenticate electronic information and transactions and assure high levels of integrity. This initiative will expand the number of techniques that the Federal government should be using in the area of "digital signatures" and should bring forth the best and most cost-effective technologies that the private sector has to offer. I want to note that we have specifically asked for comment on elliptic curve technology and on RSA's digital signature technology. We have been working with accredited voluntary standards committees of ANSI to finalize standards for both technologies, which we intend to recommend for federal use with appropriate implementing guidance.
Key Agreement / Exchange. In a third area, we have also sought public comments on potential technologies that assure very secure "key agreement or exchange" protocols as part of public cryptographic systems. There is no existing federal standard in this area, and we have specifically asked for comments on the following technologies: RSA, elliptic curve, and Diffie-Hellman. We are also working with the ANSI voluntary standards committees on these standards, which we plan to adopt for federal use as appropriate.
Key Recovery. NIST is also pursuing technical work in the area of key recovery for government applications, to ensure the availability of encryption keys, for both user and public safety requirements. We have provided technical support for the key recovery pilot tests sponsored by GITS. We also support the Department of Commerce’s advisory committee to gain industry’s advice as to how the government should accomplish key recovery for itself.
Cryptographic Module Validation Program. While sound algorithms are critical to providing for strong cryptographic-based services, they are insufficient in and of themselves. It also necessary that the module in which cryptography is implemented (either hardware or software) be secure. For example, one issue that must be addressed is how are cryptographic keys protected within the module. Therefore, NIST, in conjunction with industry partners, developed the Security Requirements for Cryptographic Modules standard which specifies four security levels for cryptomodules. Under its National Voluntary Laboratory Accreditation Program, NIST has accredited Cryptographic Modules Testing (CMT) laboratories to perform validation testing of cryptographic modules. Netscape told us that, as a result of successful testing under this program, the Department of Defense recently purchased 2 million copies of their web browser.
Our projects in the area of Public Key Infrastructure (PKI) are aimed at ensuring the interoperability and security of the crucial components of the public key infrastructure needed to support electronic commerce and government activities. Public key technology holds great promise for improving the security of systems and serving as a key enabling technology for Electronic Commerce. However, in order to enable truly global capabilities, and to avoid independent islands of users who cannot talk to each other, interoperability issues must be addressed. Additionally, in order for users to have trust in the system, the security issues in the various components of the PKI must be also be addressed.
NIST has recently completed initial work in the area of PKI by developing, with the assistance of ten cooperative research and development agreement partners in industry, a Minimum Interoperability Specification for Public Key Infrastructure Components (MISPC). NIST is continuing this work with development of reference implementations of public key Certificate Authorities and related technical development.
Our final security focus area is that of Security Management to provide guidance in the selection, implementation and use of security technology in their systems and networks. We recognize that technology does not provide strong security in isolation – there are always complicating human factors. Technology appropriate to the risk and threat environment must be selected. It must correctly installed and managed by knowledgeable, trained personnel. Organizations must have appropriate policies and security in place throughout a system’s functional life-cycle. In order to address such critical managerial and operational controls, NIST develops and issues guidance to agencies.
Our basic overall approach to these security management issues was laid out a few years ago in our Computer Security Handbook and has been supplemented via numerous other publications. For example, during the last year, ITL has issued bulletins on security issues for telecommuting, audit trails, security considerations in computer support and operations, PKI technology, and Internet electronic mail. Thanks to our collaborators in the Federal Information Systems Security Educators’ Association and the Federal Computer Security Program Managers’ Forum, we are currently coordinating two new draft guidelines on training and planning, respectively.
The Federal Computer Security Program Managers’ Forum, which we sponsor, provides an informal venue for federal officials to exchange real-world computer security issues and solutions. The Forum also provides a means for NIST to share its advice with agencies, and to draw upon the computer security expertise at other federal agencies in developing guidance documents.
NIST has also undertaken a long list of activities with federal agencies designed to improve agency security management, education and awareness, and use of security technology. NIST staff would be happy to discuss this with you further.
Mr. Chairman, I want to thank you again for the opportunity to speak to your
committee on NIST’s computer security activities. We at NIST look forward
to working with your committee and others in the Congress on this important
issue.
Source: http://www.senate.gov/~commerce/hearings/210bap.htm
LEN BAPTISTE
DIRECTOR, OFFICE OF SYSTEMS STANDARDS AND EVALUATION INTERNAL REVENUE SERVICE
BEFORE THE
SUBCOMMITTEE ON SCIENCE, TECHNOLOGY, AND SPACE
COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION
UNITED STATES SENATE
FEBRUARY 10, 1998
COMPUTER SECURITY
Mr. Chairman and Distinguished Members of the Committee: I am pleased to be here today to discuss computer security at the Internal Revenue Service (IRS).
The IRS has long understood that protecting taxpayer information is essential to the operation of our country=s self-assessment tax system. Policies and procedures to protect the security and confidentiality of taxpayer information have been established in accordance with various laws and other federal guidance, including the Privacy Act of 1974, the Computer Security Act of 1987, and Section 6103 of the Internal Revenue Code. A more recent example is the Taxpayer Browsing Protection Act, which was signed into law in August 1997. In short, this new law helps to better address an internal threat to taxpayer records by making all cases of willful unauthorized access and inspection of taxpayer recordsCelectronic and paperCa crime.
SECURITY WEAKNESSES
Although policies and procedures have been established, the IRS is aware that more emphasis is needed to adequately mitigate security weaknesses. Audits and reviews of the IRS= security and operations have identified weaknesses and instances where individuals have misused our systems to commit fraud and other crimes. For example, the General Accounting Office (GAO) reported in April 1997 on its concerns with various systems security weaknesses at the IRS. It also raised concerns with the IRS= effectiveness in dealing with unauthorized accesses to taxpayer records by IRS employees.
The IRS= Office of the Chief Inspector is responsible for investigations dealing with criminal acts. In this regard, Inspection=s investigations have identified criminal acts involving employees who have improperly accessed computer systems and used taxpayer information from these systems to commit acts such as embezzlement, submitting false claims for tax refunds, and unauthorized disclosure of tax information. Since October 1, 1997, Inspection also assumed total responsibility for investigating all allegations of unauthorized access and inspection of taxpayer records.
Whereas preventing fraud and misuse is the ultimate goal of any security program, a good security program also must adequately detect and react to situations that cannot always be prevented. In this regard, the IRS= security program is focused on improving its prevention, detection, and reaction capabilities.
EXECUTIVE-LEVEL LEADERSHIP ESTABLISHED
In response to internal and external security concerns raised by the Congress, auditors, and an IRS task force, the IRS centralized responsibility for security and privacy issues in its Office of Systems Standards and Evaluation (SSE) in January 1997. This was initiated just after I joined the IRS to manage SSE--after almost 22 years with GAO.
SSE is responsible for establishing and enforcing standards and policies for all major security programs including, but not limited to, physical security, data security and systems security. In this regard, SSE provides IRS with a proactive, independent security group that is directly responsible for the adequacy and consistency of security over all operations. This organization and approach are consistent with GAO=s September 1996, report, Information Security: Opportunities for Improved OMB Oversight of Agency Practices, which noted that, ASuch a program can provide senior officials a means of managing information security risks and the related costs rather than just reacting to individual incidents.@
SSE was not assigned this management oversight responsibility to duplicate evaluation and review efforts by the IRS= Office of the Chief Inspector, which focuses many of its efforts on overseeing and strengthening computer security. SSE was established to provide consistent executive-level leadership and enforcement for security throughout the IRS. Using some of the same evaluation disciplines employed by the Office of the Chief Inspector and external auditors, SSE focuses on evaluating, guiding, and enforcing IRS= security and privacy programs and processes. However, it uses the same evaluation disciplines to baseline security operations at the IRS= facilities and support functions. It also works with the management of these entities to drive solutions, develop sound security processes, and establish enforcement mechanism that hold these managers responsible for maintaining these processes.
In March 1997, the IRS further strengthened its security capabilities with the appointment of Mr. William Hadesty to direct SSE=s Office of Security Standards and Evaluation. Mr. Hadesty is a recognized security expert in both the public and private sector with over 10 years of GAO experience in leading comprehensive computer security reviews at IRS, numerous other government agencies, and financial market entities. Mr. Hadesty has staffed his Office with a team of experienced managers that have the skill mix that is needed to strengthen security across the IRS . SSE is also utilizing contractor support in areas where even more specialized skills can help the IRS to institutionalize Abest practices.@ For example, SSE is working with such a contractor to enhance the IRS= emergency response capabilities, which includes state-of-the-art practices to better recognize and prevent hostile attacks.
Besides bringing together an experience-based team, SSE=s efforts were focused on evaluations of important support functions and all the IRS= computing centers and service centers in 1997. Work has progressed in a timely manner as planned, without any major obstacles. In this regard, managers and staff of these support functions and centers have been focused on working with SSE managers to implement security improvements. Because these managers and staff are the key players in institutionalizing the security improvements that are needed, SSE has initiated security-training efforts to enhance the skill mixes needed at the support functions and centers. For 1998, training and work are continuing at these support functions and centers. Moreover, SSE=s work has been broadened to cover the IRS= 33 District Offices in 1998.
Our work at centers and offices is focused on key areas, which include:
UNAUTHORIZED ACCESS TO TAXPAYER RECORDS
In August 1997, the Treasury Department issued a report on actions being taken to control unauthorized access to taxpayer records by IRS employees. This report reflected a study completed by IRS that focused on better addressing this access problem. Actions noted in the report are progressing as planned, and have included:
LONG-TERM PLANS
Over the longer term, the IRS= Modernization Blueprint consolidates security mechanisms, audit data, and user profile data. Currently, the IRS= various automated systems cannot provide an integrated security solution to prevent unauthorized activities by internal users. However, the planned services for security will include:
Overall, the long-range plans for security functionality are aimed at improving security performance and effectiveness while minimizing administrative, maintenance, and operational costs. User efficiency has been taken into account and the best practices of both the government and private sector have been considered and adopted in formulating the security initiatives for modernization. The resulting systems will be architecturally consistent to facilitate interoperability, data sharing, reduced development risk, reduced maintenance burden, and lower life cycle costs of ownership.
Beyond the consolidation of security mechanisms, audit data, and user profile data, the new architecture will support data mining techniques to further enhance the overall suite of security services. Private industry and government have found this technology to be highly effective in counteracting fraud such as might be perpetrated in connection with credit cards, checks, cell phones, insurance claims, and money laundering. Similarly, the IRS will mine data on its taxpayer record activity to better detect and react to unauthorized activities.
In closing, we believe that our current approach and program are focused on establishing a world-class security environment, which is commensurate with protecting the IRS= $1.4 trillion financial services program. At the IRS, we fully understand that although new technologies will help to streamline the agency=s operations and improve the delivery of services to taxpayers, these same technologies bring with them new risks that must be controlled to ensure adequate security. This continues to take on greater significance as IRS= reliance on paper decreases and its dependence on new technologies increases. In this regard, our new security program provides the IRS with the disciplined approach that is needed to continually improve the IRS= ability to protect the confidentiality and integrity of taxpayer data, and the processes and resources to operate our country=s self-assessment tax system.
This concludes my statement, and I will be glad to answer any questions.
Source: http://www.senate.gov/~commerce/hearings/210hol.htm
Mr. Lee B. Holcomb
Chief Information Officer
National Aeronautics And Space Administration
before the
Subcommittee on Science, Technology, and Space
Committee on Commerce, Science, and Transportation
United States Senate
Mr. Chairman and Members of the Subcommittee:
I appreciate this opportunity to discuss with you NASA's views on information security from the perspective of a user. As Chief Information Officer (CIO), I am responsible for providing advice to ensure that information technology is acquired and managed to comply with existing laws and regulations and achieve the Agency’s mission. Key among these responsibilities is to ensure that NASA has a secure information technology environment.
NASA, as chartered by the National Aeronautics and Space Act, is expected to make available to the public the results of its programs. Each day NASA moves nearly one million electronic mail messages. Last month, NASA was named the number one World Wide Web site by Yahoo. The imagination and interest of the world was sparked by the incredible images and data that were returned from the Mars Pathfinder mission. Yahoo identified the NASA Mars Pathfinder Web Page as the most frequently accessed Web Page last year, with a recorded 566 million hits worldwide during the period of July 1 - August 4, 1997. These high volumes of internal and external information traffic present enormous technical challenges - providing efficient operations while assuring security and integrity of NASA computing resources and data. We develop, maintain, and operate over fifty major systems that are either high cost or of critical management importance. These investments represent a broad portfolio of supercomputer, mainframe, desktop and communications applications, capabilities and assets. NASA is a premier research and development Agency; information technology, from a laptop flying on the Space Shuttle to a communications network transmitting images from a new galaxy, has enabled NASA to deliver on its commitments for better, faster, cheaper, and safer missions and products.
We are pleased to see the Committee focus this hearing on information security. Over the past year, internal and external reviews have identified increasing concerns with information security and data integrity. The NASA CIO community has placed the highest priority on correcting our Year 2000 computer problems and improving information security.
Our information technology security (ITS) program addresses seven critical and linked areas which include organization, policy/procedures, training, incident reporting and vulnerability corrections, technology, physical security, and criminal investigations. Each area plays a critical part in providing overall level of integrity, confidentiality, and availability of information and information systems. NASA’s activities in the area of computer security include:
1. Organization
The NASA CIO established a Principal Center for information technology security (ITS) led by an ITS manager who reports to me and the Director of Ames Research Center (ARC). The ITS manager ensures a close working relationship between the NASA Enterprises and NASA installations regarding IT security. The ITS manager is responsible for recommending information security policies, procedures, guidance, architecture, standards and metrics. This responsibility fits well with ARC’s role as the NASA Center of Excellence in information technology. The ARC, located in Silicon Valley, is ideally situated to facilitate the infusion of new computer and communication security technology and products to meet near-term and long-term NASA requirements. In order to better leverage the wealth of expertise that resides across NASA's Centers, we identified Expert Centers and assigned ITS functional area responsibilities. The functional areas are: Notifications, Incident Coordination, and Response - Goddard Space Flight Center (GSFC); Training and Awareness - Lewis Research Center (LeRC); Network and Communication - Marshall Space Flight Center (MSFC); Systems and Applications - Jet Propulsion Laboratory (JPL); Development - ARC.
2. Policy/Procedure
Our information technology security policy mandates risk assessments to establish prudent ITS investment levels for each major mission, program or institutional requirement. A second major objective of our ITS policy is to promote the development of IT security architectures and standards which contribute to open, standard, scaleable, interoperable, yet secure IT environments.
We are rewriting the existing NASA security policy and procedure documents to update and enhance our overall IT security position as it relates to sensitive but unclassified IT systems and information. The ITS policy reflects the role of the NASA CIO and associated organizational structure. As part of our process for developing and approving ITS policies, the NASA Enterprises and Centers must approve standards and architecture recommendations. Our policy is coordinated, where appropriate, with other Federal policies and procedures, such as those established by the Federal CIO Council and its associated Boards.
NASA is developing sound and lasting procedures and guidance to address ITS. The establishment of metrics is critical for overall management of NASA's information technology security (ITS) resources. The ability to measure the effectiveness of our ITS program will translate into cost-effective investment strategies which address our most significant system vulnerabilities. These metrics address overall IT security effectiveness as well as specific measures of the effectiveness of training, prevention and detection activities.
An important part of our ITS program is the establishment and documentation of ITS architecture and standards which is intended to better facilitate the development of more uniform and cost-effective NASA-wide solutions.
3. Training
Training and awareness are key to a successful ITS program. Based on known ITS vulnerabilities, training and awareness provide large return on investment. We are consolidating our efforts to provide effective ITS training to leverage the resources we
currently spend in this area and to identify areas were we can improve. LeRC is working on standard Agencywide approaches for IT Security training. These training programs are being developed using the best practices of other government agencies and the private sector. For example, we are currently evaluating computer security training modules developed by the US Army. Strategies to ensure both civil service and contractor personnel are properly trained and certified are being developed. The final recommendation on the appropriate Agencywide IT Security training initiatives and Master Training Plan will be coordinated with the entire NASA CIO community for review and approval.
4. Incident Reporting, Vulnerability Corrections
Information security begins with avoidance. GSFC is currently operating an Agencywide vulnerability notification, emergency response, and incident handling, the NASA Automated Security Incident Response Capability (NASIRC). Avoidance includes awareness at all levels and it promotes well trained security and audit professionals. Because of our strong presence on the public internet, our computing resources are subject to significant security risks. NASIRC has provided an effective means to rapidly deal with incidents.
During FY97, NASIRC issued 244 Alerts, bulletins, and follow-up technical advisories. So far in FY98, NASIRC has issued 112 such notices. Every time NASIRC issues an alert or technical advisory it is reflective of our collaboration with many other organizations, and identifies threat and vulnerability situations that affect all IT system user communities. We work closely with alert services such as Computer Emergency Response Team (CERT), Federal Computer Incident Response Capability (FedCIRC) and other international response teams as well as monitoring vendor notices and news groups. IT Security is a world-wide issue, especially for those who have extensive internet connectivity. By conducting extensive coordination and collaboration with other organizations around the world, we are able to get timely heads-up information to better protect our IT system environments, and we are able to share lessons we have learned with others who are working such issues in a trusted incident handling arena.
GSFC has also been working on building an inter-Agency affinity group with other government agencies to leverage limited resources and coordinate more closely on inter-Agency emergency response and incident handling issues. The Department of Justice has joined our efforts through a Memorandum of Understanding. The Department of Education and the Federal Aviation Administration are expected to join this inter-Agency effort during the second quarter of FY98.
5. Technology
Emerging information security technologies are essential to satisfy new requirements for digital signatures, secure messaging, electronic commerce, and trusted web-based applications. An essential technology is Public Key Infrastructure (PKI). Important requirements for PKI include ease of use (works with common applications), authentication (know who you are), certification policy (mixed user groups), and trusted certificate authority (sender authentication, nonrepudiation and message integrity). The ARC has participated in several joint Federal activities for improving information security and data integrity. One of these was the Collaborative Internet Security Testbed. The results of this activity are found at: http://cis.dyncorp-is.com/. Likewise, ARC has been coordinating its activities for an Agencywide PKI with the Federal PKI Steering Committee. NASA has been developing and deploying a standard infrastructure for PKI and digital signature. This technology provides a common security infrastructure that can be relied on to support the many different programs and projects within NASA. As part of this activity, we developed a secure messaging system and we are currently testing the solution across all NASA Centers. We developed and are currently pilot testing a secure electronic solicitation and review process for scientific grants with approximately 50 universities. The results to date are very promising. We also are working closely with private industry to develop and test secure web capabilities that could use the same common PKI technology. We are evaluating solutions at the transmission level which provide Virtual Private Network (VPN) capability. In all these efforts, we have focused on early commercial technology products which are compatible with NASA’s Agencywide architecture and standards.
6. Physical Security
NASA takes a comprehensive and layered risk management approach to all aspects of IT security. In the area of physical security we are concerned with the behavior of people with access to NASA IT systems from the threat posed by the "trusted insider" to the thief or the terrorist. NASA screens each person who will require access to our IT systems. Depending on the criticality of the information contained in the system building and/or facility, access may be restricted and protected by various access control devices as described by our NASA Resource Protection program. As the outermost perimeter, access to NASA Centers is restricted to authorized personnel and approved visitors only.
JPL has completed work on evaluating the Agencywide virus scanning posture, and has recommended a standard Agencywide approach for acquiring, operating, and maintaining standard virus scanning software/capabilities. JPL is evaluating the Agencywide posture and recommending a standard approach for acquiring, operating, and maintaining network intrusion detection and analysis software/capability for all of NASA.
MSFC completed an evaluation of the local area networks (LANs) and has recommended an Agencywide standard approach for acquiring, operating, and maintaining standard firewall software/capabilities for HQ and all Field Centers. As part of their support to the Agency, MSFC is providing guidance for Center level implementations. MSFC is also testing the efficacy of new electronic devices and software designed to prevent the theft of computers for possible Agencywide implementation.
7. Criminal Investigations
NASA continues to work closely with the NASA Inspector General and other law enforcement agencies to support their efforts in any criminal investigations that involve IT resources at all Centers. In order to deter misuse and notify all users that their use may be monitored, NASA has implemented a warning banner on all appropriate NASA computer systems. These banners state that by continuing to use a U.S. Government computer, you consent to your keystrokes and data content being monitored. These banners have aided the law enforcement communities in their investigations.
Conclusion
NASA is facing the challenge of adapting to the changing IT environment where vulnerabilities are serious and increasing. Information sharing is essential to achieve the mission of NASA. NASA not only has a strong presence in the National Information Infrastructure as a major component of the internet, but also must maintain separate and protected mission critical information technology systems. As a direct result of our very strong presence on the Internet, we have of necessity become a significant player in the incident handling arena which cuts across Federal civilian/military government, private industry, academia, and foreign partners. NASRIC has become recognized as a model within the Federal Government.
To protect our mission critical information systems, NASA has become an early adopter of information security technology. Over the next several months, we plan to deploy a public key infrastructure in support of secure messaging, digital signatures, electronic procurement applications and secure web based applications. Our efforts in deploying virtual private networks and firewalls are essential to the successful and secure deployment of our Agencywide Integrated Financial Management Program.
In summary, we take seriously our responsibility as stewards of the public’s space and aeronautics information technology systems and we are committed to working with other agencies of the Executive Branch and with the Congress to ensure we maintain the proper balance between accessibility of research results and protection of our IT investment.