| 1. What is the relationship between
the NIPC and the FIDNet?
|| FIDNet and the NIPC are discretely separate entities.
FIDNet is operated under cognizance of the General Services Administration
while the NIPC is falls under FBI control. The FIDNet shares information
with the NIPC ONLY in incidents where criminal activity
is suspected. Such information sharing is not conducted without
consultation with the affected agency or department. In all cases,
due process of law and Constitutional guarantees are preserved.
| 2. Given the reluctance of Congress
to provide money and the recent slashing of the DOE budget for information
security, what reason do we have to believe that funds will be available
to protect our information infrastructure?
|| As with any sound program, policies and procedures
must be in place in order give the best value to government. Otherwise,
needless spending will result and any such program will be doomed
to failure. In recent news releases pertaining to the funding for
critical infrastructure protection (CIP) initiatives, the media
failed to explain the situation to the satisfaction of the readers.
Funds are congressionally allocated specifically for a defined requirement.
When funds are requested, it is paramount that any acquisition fall
within the scope ot the original request. If an agency or department
deviates from the category to which the funds are intended, it is
likely that Congress will deny the request. With regard to the current
funding issues, requests for many of the related CIP programs was
submitted very late into the budget process and for that reason,
Congress deferred action until a later date and chose to focus on
more pressing budget issues.
| 3. Will there ever be a government
standard published addressing "Risk Analysis and Management"
procedures and requirements?
|| Though industrial standards and policies are widely
published, they may vary considerably across organizational boundaries.
Understanding the difference between risk avoidance and risk management
is the key to a successful program. Standard Risk Management procedures
are needed within government to establish a common criteria. Since
no FIPS equivalent currently exists, this question will be deferred
to the National Institute of Standards and Technology for action.
| 4. What does John Q. Citizen pay
for an ACES certificate? Hardware?
|| John Q. Citizen pays nothing. The Government will
incur the full expense.
| 5. Can you name six to ten Federal
Agencies who have implemented PKI solutions for data encryption?
Points-of-contact for the Agencies?
- Mr. Richard Guida, Chairman of the Federal PKI Steering
Committee and GITS Security Champion, would be the best source
for more information on Federal PKI.
- DoD Fortezza; contact the Information Assurance Technical
Framework Forum (IATFF ) at http://www.nsff.org
. (The next meeting on 2 Dec 99 will be discussing PKI)
- FAA is starting a program, for its aircraft inspection program.
- The US Patent Office has a project going on now.
| 6. Have you heard of the USAID MISSP
program to collect and publish "Best Security Practices"?
|| Yes...the program is being managed by Mr. Jim Craft
and has received some initial funding. Jim has established a multitude
of relationships to insure the broadest collection of security practices.
This program, combined with the FedCIRC's "Patch Dissemination
Process", will hopefully raise the overall security bar by
encouraging system administrators to stay abreast of current security
fixes and best practices.