PCIE/ECIE Critical Infrastructure Assurance Initiative



 

Background
Presidential Decision Directive (PDD) 63, May 1998, calls for a national effort to assure the security of the nation's critical infrastructures.  Critical infrastructures are those physical and cyber-based systems essential to the minimum operations of the economy and Government and include, but are not limited to, telecommunications, banking and finance, energy, transportation, and essential Government services.  Based on a proposal from Russell Rau, FAEC Chair, the PCIE/ECIE working group on critical infrastructure assurance was established and a PCIE-wide review of critical infrastructure assurance was initiated.

Roles/Responsibilities
Our goal is the broadest possible participation within the OIG community.  The PCIE/ECIE Working Group will have overall responsibility for developing the review guides; coordinating the efforts of participating OIG’s; preparing and issuing consolidated reports for the PCIE that summarize the results of individual agency reviews and make Government-wide recommendations, as appropriate; and conducting follow-up work regarding recommendations made in the consolidated reports.  Participating OIG’s will be responsible for "scoping" their reviews, performing review work at their respective agencies, and providing the PCIE/ECIE Working Group with summaries of the review results.  Participants will issue reports to their respective agencies.

Review Objectives
Participating OIG's will review the adequacy of critical infrastructure protection programs at Federal agencies, and the PCIE will issue an overall report summarizing national policy issues identified during the review.  The review will consist of four phases:

Phase I:  Planning and assessment activities for protecting critical, cyber-based infrastructure, including the adequacy of agency plans, asset identification efforts, and initial vulnerability assessments.

Phase II:  Implementation activities for protecting critical, cyber-based infrastructure, including the adequacy of risk mitigation; emergency management; interagency coordination; resource and organizational requirements; and recruitment, education, and awareness.

Phase III:  Planning and assessment activities for protecting critical physical infrastructure, including the adequacy of agency plans, asset identification efforts, and vulnerability assessments.

Phase IV:  Implementation activities for protecting critical physical infrastructure, including risk mitigation; emergency management; interagency coordination; resource and organizational requirements; and recruitment, education, and awareness.

Milestones:
Phase I Begin Fieldwork..... January 2000
Issue final consolidated report..... September 2000
Phase II Begin Fieldwork .....June 2000
Issue final consolidated report.....March 2001
Phase III Begin Fieldwork .....November 2000
Issue final consolidated report.....August 2001
Phase IV Begin Fieldwork.....May 2001
Issue final consolidated report.....February 2001

Meetings and Points of Contact
The initiative is headed by the National Aeronautics and Space Administration (NASA) OIG.   Call or e-mail David Gandrud at (650) 604-2672, or Roger Flann at (818) 354-9755 for additional information.  Click here for PCIE/ECIE PDD 63 Points of Contact.

A “kickoff” meeting was held on November 17, 1999, and included presentations from the General Accounting Office, the Critical Infrastructure Assurance Office and the National Infrastructure Protection Center.  Click here for minutes.

Links to Related Information
National Plan for Defending America's Cyberspace: On  January 7, 2000, President Clinton announced new steps to protect America's computer systems from hackers and viruses, in the National Plan for Defending America's Cyberspace.  This plan presents a comprehensive vision creating the necessary safeguards to protect the critical sectors of our economy, national security, public health, and safety.

On  February 1, 2000, the Senate Judiciary Subcommittee on Technology, Terrorism and Government Information held a hearing on the National Protection Plan and its Privacy Implications. The report of the hearing can be accessed from the U.S. General Services Administration Legislation and Regulations web page.

The Critical Infrastructure Assurance Office has issued Practices for Security Critical Information Assets (January 2000) to provide initial guidance to Federal agencies in developing and implementing information security policy

White House Facts Sheets
Strengthening Cyber Security through Public-Private Partnership.  On February 15, 2000, President Clinton met with leaders of Internet and e-commerce companies, civil liberties organizations, and security experts to jointly announce actions strengthening Internet and computer network security.

Cyber Security Budget Initiatives.  On February 15, 2000, the Clinton Administration announced its ongoing, aggressive support for protecting critical infrastructures through the budget process.  Funding on critical infrastructure has substantially increased over the past three years including funding for new initiatives to defend the nation's computer systems from malicious cyber activity.

Action by Federal Agencies to Safeguard Against Internet Attacks. On March 3, 2000, President Clinton requested that each Agency renew their efforts to safeguard their computer systems against denial-of-service attacks on the Internet. The Chief of Staff will coordinate a review of Federal Government vulnerabilities in this regard and issue a report by April 1.

Related Legislation
S.1993. "Government Information Security Act of 1999."  A bill to reform Government information security by strengthening information security practices throughout the Federal Government was introduced in the Senate by Senator Fred Thompson (R - TN) on November 19, 1999.