With time running out before the new fiscal year begins, the CIO Council plans to issue two memorandums within the next two weeks to agencies and Congress that urge putting in place policies that would better secure government computers.
One memo will require agencies to establish a relationship with the Federal Computer Incident Response Capability (FedCIRC), which disseminates information about and coordinates responses to cyberattacks across civilian agencies. The other will be an open letter to Congress - but aimed at the appropriations committees - emphasizing the importance of funding cross-government security initiatives in the 2001 budget.
The council wants to issue the memos, especially the plea for more security funding, as soon as possible to take advantage of the time left before the next fiscal year begins Oct. 1, officials said.
"If we don't get [the funding memo] out in the next week or so, we lose a lot of the opportunity" to secure funding, said John Gilligan, co-chairman of the security committee and Energy Department CIO. Congress returns from recess after Labor Day and will be pressured to finish up the appropriations bills so that members can return home to campaign.
The memo to Congress will request that the appropriations committees support about $40 million in security initiatives, including FedCIRC, a team of security experts at the National Institute of Standards and Technology that will serve as a resource to all agencies, and continued leadership from the Treasury Department for governmentwide public-key infrastructure efforts.
The council wants members of the appropriations committees to understand that the funding choices they make will affect many more agencies than just the ones that each committee has authority over. Attached to the memo will be a host of supporting examples and explanations as to why a single agency is taking action on behalf of the rest of government and the ramifications of not receiving funding, Gilligan said.
A lack of funding so far from the appropriations committees has been the No. 1 topic at many gatherings of government security professionals, said Dave Jarrell, program manager of FedCIRC at the General Services Administration.
Many agency officials have become frustrated and see this memo kick-starting their efforts again. "It will get the attention of all the agencies if and when Congress takes notice and starts funding these initiatives," he said. "I think that this is going to be a crucial step."
The money sought for FedCIRC also will support the second memo the council plans to issue, which sets the stage for full dissemination of information and response to cyberattacks across government and within each agency.
This memo requires agencies to link into the FedCIRC network to ensure that every agency receives warnings, software patches and other information from the organization and also to ensure that agencies report any anomalous incidents back to FedCIRC. That will provide a full view of incidents across government.
"We're trying to get people to look at the bigger picture," Jarrell said. "We want people to realize that if they have a piece of information, it may be of little significance to them, but it may be of great significance to the government."
The memo also requires agencies to establish a formal process for disseminating FedCIRC information throughout their organizations and reporting to FedCIRC that information has been distributed. This will shorten the time it takes for agencies to coordinate responses to attacks and is key for incidents like the "ILOVEYOU" virus, where "minutes made a difference," Gilligan said.
With the two memos, the council, FedCIRC and the other government security organizations are trying to instill procedures that will change the culture of government and raise awareness of the steps that must be taken to keep their agencies secure. "We have to get people into the habit of embedding security in their daily practices so that they're not even thinking about it," Jarrell said.