IWS - The Information Warfare Site
News Watch Make a  donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled

Google Ads

Questions and Answers from the
Protecting the Critical Infrastructure
Issues and Solutions Symposium

November 9, 1999
Marriott Fairview Park
3111 Fairview Park Drive
Falls Church, VA  22402

Hosted by the General Services Administration
Federal Technology Service, Office of Information Security

Question Response
1.  What is the relationship between the NIPC and the FIDNet? FIDNet and the NIPC are discretely separate entities. FIDNet is operated under cognizance of the General Services Administration while the NIPC is falls under FBI control. The FIDNet shares information with the NIPC ONLY in incidents where criminal activity is suspected. Such information sharing is not conducted without consultation with the affected agency or department. In all cases, due process of law and Constitutional guarantees are preserved.

2.  Given the reluctance of Congress to provide money and the recent slashing of the DOE budget for information security, what reason do we have to believe that funds will be available to protect our information infrastructure? As with any sound program, policies and procedures must be in place in order give the best value to government. Otherwise, needless spending will result and any such program will be doomed to failure. In recent news releases pertaining to the funding for critical infrastructure protection (CIP) initiatives, the media failed to explain the situation to the satisfaction of the readers. Funds are congressionally allocated specifically for a defined requirement. When funds are requested, it is paramount that any acquisition fall within the scope ot the original request. If an agency or department deviates from the category to which the funds are intended, it is likely that Congress will deny the request. With regard to the current funding issues, requests for many of the related CIP programs was submitted very late into the budget process and for that reason, Congress deferred action until a later date and chose to focus on more pressing budget issues.

3.  Will there ever be a government standard published addressing "Risk Analysis and Management" procedures and requirements? Though industrial standards and policies are widely published, they may vary considerably across organizational boundaries. Understanding the difference between risk avoidance and risk management is the key to a successful program. Standard Risk Management procedures are needed within government to establish a common criteria. Since no FIPS equivalent currently exists, this question will be deferred to the National Institute of Standards and Technology for action.

4.  What does John Q. Citizen pay for an ACES certificate? Hardware? John Q. Citizen pays nothing. The Government will incur the full expense.

5.  Can you name six to ten Federal Agencies who have implemented PKI solutions for data encryption? Points-of-contact for the Agencies?
  • Mr. Richard Guida, Chairman of the Federal PKI Steering Committee and GITS Security Champion, would be the best source for more information on Federal PKI.
  • DoD Fortezza; contact the Information Assurance Technical Framework Forum (IATFF ) at http://www.nsff.org . (The next meeting on 2 Dec 99 will be discussing PKI)
  • FAA is starting a program, for its aircraft inspection program.
  • The US Patent Office has a project going on now.

6.  Have you heard of the USAID MISSP program to collect and publish "Best Security Practices"? Yes...the program is being managed by Mr. Jim Craft and has received some initial funding. Jim has established a multitude of relationships to insure the broadest collection of security practices. This program, combined with the FedCIRC's "Patch Dissemination Process", will hopefully raise the overall security bar by encouraging system administrators to stay abreast of current security fixes and best practices.

Click here to return to the highlights page
Back to the Highlights

IWS Mailing Lists

Mailing Lists Overview