FEDERAL TECHNOLOGY SERVICE
GENERAL SERVICES ADMINISTRATION
BEFORE THE
SUBCOMMITTEE ON TECHOLOGY AND PROCUREMENT POLICY
COMMITTEE ON GOVERNMENT REFORM
AND THE
SUBCOMMITTEE ON GOVERNMENT EFFICIENCY
COMMITTEE ON GOVERNMENT REFORM
UNITED STATES HOUSE OF REPRESENTATIVES

MAY 2, 2002

Mr. Chairman and Members of the Committee. On behalf of the Federal Technology Service of the General Services Administration let me thank you for this opportunity to discuss GSA's office of Information Assurance and Critical Infrastructure Protection role in Federal Information Security. I want to express my appreciation for your interest in the Information Security of the Federal Government. Although I am not in a position to express the Administration's views on H.R. 3844, the 'Federal Information Security Management Act of 2002,' I thought it would be useful to share GSA's experience with the Subcommittee and discuss how my organization can help to implement the vision articulated in the proposed legislation.
Background
The Office of Information Assurance and Critical Infrastructure Protection is home to the General Services Administration, Federal Technology Service's Federal Computer Incident Response Center, (FedCIRC). To meet the requirements of OMB policy, the National Institute for Standards and Technology (NIST) developed FedCIRC in 1996 as a pilot program. It became operational in 1998 and was moved to GSA's Federal Technology Service. The overarching mission of the FedCIRC is to be the Federal Civilian Government's trusted focal point for computer security incident reporting, sharing information on common vulnerabilities, and to provide assistance with incident prevention and response.  FedCIRC was designated by the Office of Management and Budget, and subsequently by the Government Information Security Reform Act (GISRA) as the Federal Civilian Government's central reporting entity for computer security incidents and sharing information on common vulnerabilities. We maintain a 24x7x365 security operations center to handle incident reports from across the Federal Government. These reports come in via our toll-free telephone number, electronically through a form found on our web-site, via email, and via both secure and unclassified fax. This enables FedCIRC to assist agencies in recognizing the nature of an incident, and also permits us to identify when an incident might be part of a larger, coordinated attack on Federal information systems.  The FedCIRC is more than just response. We take special care to stay informed of the latest vulnerabilities and threats to the hardware and software systems on which so many vital government services depend. We have processes and procedures to rapidly inform agencies of emerging threats and vulnerabilities, and to explain steps that can be taken to reduce the risk and mitigate the threat. We provide tools to help Federal information security professionals identify vulnerable equipment on their networks, and to help them take steps to correct the problems.  FedCIRC does not attempt to achieve this in isolation. We are part of an active information-sharing community including the Department of Defense, the Intelligence Community, Law Enforcement, Industry, and Academia. We are currently leading an interagency working group in support of the President's Critical Infrastructure Protection Board to develop a more thorough understanding of the threat and potential corrective measures to address a newly identified, widespread software vulnerability.  Additionally, since each Federal agency has different expertise and strengths, we chair an ongoing forum of Federal Incident Response Teams. Known as the "FedCIRC Partners Group," these dedicated computer security professionals meet quarterly, and share information continually through email. This fosters an increased level of trust across agency boundaries, and establishes an informal network of experts who can rapidly conduct assessments and share their understanding of emerging threats.
Discussion
The Federal Information Security Management Act calls for the creation of a Federal Information Security Incident Center that would provide a single point of contact for Federal civilian agencies to report incidents. The development and operation of this center is to be overseen by the Director, Office of Management and Budget. The center is to provide timely technical assistance to operators of agency information systems regarding security incidents, including guidance on detecting and handling information security incidents. Additional responsibilities include: to compile and analyze information about incidents that threaten information security; to inform operators of agency information systems about current and potential information security threats and vulnerabilities; and to consult with agencies or offices operating or exercising control of national security systems.  The FedCIRC currently does all this and more. Permit me to address each point individually, and then to share with you some of the initiatives we are implementing, based on the three and a half years experience we have gained filling this role for the Federal government.  Director, OMB oversee the development and operation of a Federal information security incident center. In its memorandum M-01-08 dated January 16, 2001, the Director, Office of Management and Budget reinforces existing policy requiring agencies to develop plans to report incidents to FedCIRC. FedCIRC has been assisting Federal civilian agencies with their incident handling since October 1998. Additionally, a senior advisory council meets quarterly to discuss FedCIRC's goals, accomplishments, opportunities and progress. This council includes senior representatives from OMB, GSA, the CIO Council, NIST, the Department of Defense, the National Security Agency (NSA), the National Infrastructure Protection Center (NIPC), and Academia (represented by Carnegie Mellon University's CERT-CC).
Provide timely technical assistance to operators of agency information systems regarding security incidents, including guidance on detecting and handling information security incidents. FedCIRC's principal area of focus is to provide timely technical assistance to the Federal civilian government agencies. FedCIRC has been working closely with individual agencies to develop the trust and confidence needed to implement the stated purpose of FISMA: to contribute directly and significantly to "a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support Federal operations and assets." This trust must be earned through proven performance and success. FedCIRC has done much to develop this trust.
One example is in the Federal government's handling of the "Code Red" virus that infected millions of systems worldwide in the summer of 2001. Code Red conducted automated network scanning to identify systems operating with a vulnerable server software package. A public advisory had been previously released identifying a serious security vulnerability that could allow an intruder to gain control of the vulnerable system and employ it to scan and infect other vulnerable systems. The first version of Code Red commanded thousands of infected computers to simultaneously flood the White House web site, which would result in a denial of service, denying access to citizens seeking legitimate information from the White House web site. The attack was thwarted in part by changing the internet address of the White House web server. This action redirected the attack against a non-existent address, negating any service impact.  Industry and government experts quickly reached a consensus that the rapid rate of infection, and resultant volume of automated scanning posed a threat to the Internet infrastructure's ability to process the extremely high volume of traffic. A tool was made available to help identify vulnerable equipment, and a patch was created to correct the vulnerability. FedCIRC provided the tool to government agencies and ensured that agencies had access to the corrective patch. OMB required agencies to report to FedCIRC when their vulnerable systems were patched. As a result of this decisive action, the impact to the government of Code Red and its later variants was minimized.
Compile and analyze information about incidents that threaten information security . FedCIRC is currently the Federal civilian government's point of contact for compiling and analyzing information about incidents that threaten information security. Agencies recognize the FedCIRC as providing this significant service. FedCIRC has developed trust relationships during the past three years necessary to provide such services. FedCIRC employs the services of Carnegie Mellon University's CERT-CC to conduct detailed research and analysis. CERT-CC was created in 1988 to performs a similar function for DoD after the infamous Morris Worm brought down what was the predecessor of the Internet. Their unique position as a Federally Funded Research and Development Center permits CERT-CC to analyze information about computer incidents from both the Civil and Defense agencies of the Federal government, and to combine that analysis with a wealth of knowledge gained as the academic community's leading computer security research center. In cooperation with CERT-CC, FedCIRC has implemented a process to disseminate special notices, alerts and advisories, based on this analysis.
Inform operators of agency information systems about current and potential information security threats and vulnerabilities. FedCIRC continues to partner within the Federal government and out into industry and academia to provide sophisticated data back to agencies on threats and vulnerabilities. FedCIRC has developed numerous programs and services for the agencies - all at no cost to agencies. Lately these include discussions on significant vulnerabilities via conference calls with industry experts and CIOs, email alerts, and workshops.  In March 2002 we implemented a contract to provide a security Patch Authentication and Dissemination service. Operational in June, this service will provide a process in which operators of agency information systems will receive notification of vulnerabilities affecting the systems they employ. When patches are developed to correct these vulnerabilities, FedCIRC will authenticate the patch to verify that it does indeed correct the vulnerability. We will then advise Federal operators on how to access the patch, and how best to implement it. If a patch is not yet available to correct the vulnerability, FedCIRC will provide advice on steps to reduce the risk. This is the first service of its kind to leverage on vulnerability notification services, combined with testing and authentication of vendor and manufacturer patches, and FedCIRC has received a great deal of interest in this service from our Federal civilian constituency as well as DoD, and State and local governments.
Consult with agencies or offices operating or exercising control of national security systems. FedCIRC has created multiple processes to consult on a regular basis with multiple centers of expertise in government. FedCIRC's programs have lead to significant partnerships across communities that are traditionally stovepiped. FedCIRC is in daily contact with DoD's Joint Task Force for Computer Network Operations (JTF-CNO), the National Infrastructure Protection Center, and NSA's National Security Incident Response Center (NSIRC) which also hosts the Intelligence Community Incint Response Center (ICIRC). These daily conference calls facilitate sharing of information affecting computer systems across community boundaries. In addition to routine daily calls, this partnership facilitates the trust necessary to foster true collaboration in the event of intentional threats to US Government information systems. This collaborative effort has resulted in the development of a virtual incident response community. Though the respective missions of these organizations vary in scope and responsibility, this virtual network enables the Federal Government to capitalize on each organization's strategic positioning within the national infrastructure and on each organization's unique access to a variety of information sources. Each entity has a different, but mutually supportive mission and focus which enables the incident response community to simultaneously obtain information from, and provide assistance to Federal agencies, DoD, the intelligence community, industry and academia.  FedCIRC, NIPC, NSIRC and JTF-CNO are involved in a constant sharing of sensitive cyber-threat and incident data, correlating it with counter-terrorism and intelligence reports to develop strategic defenses, threat predictions and timely alerts. These efforts depend not on any one participant, but on the unique and valuable contributes of each organization. Alerts and advisories are frequently generated by this group, and represent a consensus when distributed to Federal agencies, industry and the general public.
Summary
The vision articulated in H.R. 3844 is one that GSA shares and supports, wholeheartedly. This vision is completely in concert with the mission of the Federal Computer Incident Response Center. FedCIRC already provides each of the services required in the proposed statute for the "Federal information security incident center." The FedCIRC is more than a physical office. During the past three and a half years, the FedCIRC has created multiple processes that bridge across the Federal government and industry - which owns most of the cyber infrastructure and shares selectively with trusted partners. The FedCIRC has stressed the importance of its trusted relationships - which cannot be recreated overnight.
The FedCIRC has established a strong partnership with organizations operating Defense and National Security systems, and has provided valuable information and advice to Federal civilian agencies regarding information security threats and vulnerabilities. The overarching purpose of FISMA is to further the development of Federal government oversight and accountability for information security. This purpose aligns with the FedCIRC's responsibility and thus seems to be a statute that should include explicitly the FedCIRC and GSA's role. Therefore, we believe that the term "Federal information security incident center" as used in the Act should be changed to explicitly state "General Services Administration, Federal Technology Service, Federal Computer Incident Response Center".
Mr. Chairman, we appreciate your leadership, and that of the committee, for helping us achieve our goals and allowing us to share information that we feel is crucial to the protection of our nations technology resources.