Summaries for August 15, 2008

NIST STEADILY ADVANCES CAUSE OF IT SECURITY
When Bill MacGregor looks at an HSPD-12 card, he sees a logical construct for secure authentication and encryption, separate from the card itself. He sees logic that someday will nail, once and for all, the crucial security requirement of identifying users to applications. -> Read More

GOVERNMENT LOVES CONTRACTORS, MAYBE A LITTLE TOO MUCH
There's an old saying in psychological circles: The opposite of love isn't hatred, its indifference. You might say the federal government has a love-hate relationship with contractor employees. -> Read More

- - - - - - - - - - - - - - - - - - - - - - - Advertisements - - - - - - - - - - - - - - - - - - - - - - -



Save the date for GSA's IRMCO 2009!
Plan now to attend IRMCO 2009 on April 19-22, 2009 at the Hyatt Regency Chesapeake Bay in Cambridge, Maryland.  The 48th annual government-only gathering of agency career and political leaders is the premier place to network and discuss the government's challenges.

IRMCO, GSA's Interagency Resources Management Conference, has been produced by GSA since 1961 to serve the needs of the government's senior executives.  The three-day retreat provides these leaders the opportunity for dialogue with experts in organizational change, peer-to-peer discussion of strategies to transform their agencies, and insightful keynotes from industry and government visionaries.

Bookmark www.irmco.gov to register early for government's management conference.

AFFIRM Luncheon - What Keeps a Federal Chief Information Security Officer up at Night? Attend the Association For Federal Information Resources Management (AFFIRM) Luncheon on September 18 at George Washington University in Washington D.C. and hear from Patrick Howard, CISO from NRC and formerly HUD, and Dennis Heretick, recently retired CISO from DOJ, as they discuss the current challenges, constraints and security IT goals in a year of change. To register visit http://www.affirm.org/events/monthlyluncheons/sept08.

WHO’S IN CHARGE? AGENCIES HAVE LOTS OF CHIEFS
Ever wonder why a swimming pool needs lifeguards even when there might be scores or even hundreds of people sitting around staring at the water? The answer is found in a pool safety maxim: When everyone is looking, no one is looking.  With so many CXOs these days, who is responsible for diving in and making the save? -> Read More

AIR FORCE, NOAA BETTER NOT MAKE IT SEEM TOO EASY — OR CHEAP
Suppose the Department of X wanted to make a 20% improvement in response times to, say, grant requests or settling some benefits claims. It would probably request a few hundred million dollars, maybe a billion, for a project to get it done.  Find out how little NOAA needs for double digit improvements. -> Read More

• NIST Steadily Advances Cause of IT Security

  Bill MacGregor

  Got an HSPD-12 ID card?

  Take a look at it. What do you see?

  A card, right? That's what most people see.

  When Bill MacGregor looks at an HSPD-12 card, he sees a logical construct for secure authentication and encryption, separate from the card itself. He sees logic that someday will nail, once and for all, the crucial security requirement of identifying users to applications.

  “We're working towards the day when PIV-based access and authentication are part of the woodwork. For federal employees and contractors, they'll just be everyone's HSPD-12 card,” MacGregor says.

  He is coordinator for PIV — or personal identity verification — in the Systems and Network Security Group, Computer Security Division at the National Institutes of Standards and Technology. When Homeland Security Presidential Directive-12 mandated smart PIV cards for government employees, the federal government faced a classic situation of “easy to say, hard to do.”

  Hard, that is, when it comes to ensuring governmentwide interoperability and robust security. That takes standards, and with standards comes guidance to both users and vendors for how to apply the standards. That's where NIST and MacGregor's group comes in. To foster an interoperable, standards-based market, it first helps establish the standards and then creates downloadable demonstration software showing how various strong authentication methods can work using encryption or biometrics, or both.

  The group has released two downloads. One demonstrates Windows XP logon using PIV cards for encryption keys and also a PIN. The other demonstrates similar two-factor verification for secure web sessions on the Firefox browser over Linux and for sending and receiving encrypted e-mail on the Thunderbird mail client.

  A third download is coming that will demonstrate how biometrics — fingerprints in this case — can combine with encryption and a PIN to provide even stronger authentication.

  Technically astute and precise, MacGregor points out that the HSPD-12 PIV standards don't, and will not, provide authorization to specific applications or databases. That's the realm of each application on its own. Thus users of PIV cards can have a single logon to multiple networks, for example, but have access only to information or applications to which they have rights.

  The demos, MacGregor emphasizes, are not products, nor code that can be dropped into commercial applications.

  “We are not product providers. These are demonstration packages. They're intended to help developers learn how to read data from a PIV card or what results to send an application, and what commands to send to a card,” he says. Developers and systems specifiers can look into the code to see how the components work together as they develop new card uses. He points out that coding a card for opening a computer with full disk encryption is technically quite different from coding a card to log on to a WAN. In the former example, because even the operating system is encrypted, the developer must code the card to interact with a very tiny amount of embedded code off the disk on a chip.

  Next on the horizon from NIST, according to MacGregor, will be standards for software-defined card readers. That's because even with standards, a given reader is likely to encounter a multiplicity of cards — now and in the future.

  “We'll never get the whole population to a single card type,” MacGregor says. Even a single door on an airport concourse is likely to encounter several card types, and yet readers will have to be future proof.

  Return to top

---

• Government Loves Contractors, Maybe a Little Too Much

  There's an old saying in psychological circles: The opposite of love isn't hatred, it is indifference. You might say the federal government has a love-hate relationship with contractor employees.

  Consider: A bill is in Congress to halt A-76 public-private competitions. Last year in the authorization process, Congress directed the Coast Guard to stop using a lead contractor to oversee other contractors in its Deepwater program. Pending legislative adventures would require contractors to disclose executive salaries and the government to create a new database of contractor malfeasance.

  And yet the government can't get along without contractors. Members of Congress know it, as does nearly every federal program manager. Probably none know it better than contractors themselves.

  So while contractors seemingly undergo excoriation from every angle, there are also moves to aide and nourish the relationship — that's the love side.

  Well, not quite love. A group of Democratic lawmakers recently introduced legislation to protect contractor employees from discrimination and harassment. But the bill from Rep. Sheila Jackson Lee (D-Texas) isn't aimed at CEOs and vice presidents of business development. It's aimed at protecting corporate whistleblowers that raise issues of waste, fraud and abuse in government projects.

  At least H.R. 6780 acknowledges that contractor workers do important work and have sufficient knowledge of government programs that they can have worthwhile insight.

  The Government Accountability Office is also concerned with what contractors are up to. One GAO report last month found that the Centers for Disease Control, in planning for its workforce requirements, wasn't giving enough consideration to the portion of work contractors do. As GovExec reported, since 2000, the contractor workforce at CDC has grown 139 percent. In the absence of more careful contractor management, CDC's workforce planning “will not give the agency a strategic view of its governmental and contractor workforce and thus may not be as useful as it could be in assisting the agency with strategic, human capital planning for its entire workforce,” GAO said.

  Return to top

---

• Who’s In Charge? Agencies Have Lots Of Chiefs

  Ever wonder why a swimming pool needs lifeguards even when there might be scores or even hundreds of people sitting around staring at the water? The answer is found in a pool safety maxim: When everyone is looking, no one is looking.

  When it comes to federal IT projects and systems, the pool is going to have two lifeguards, and you have to ask what happens when they both dive in to respond to the same incident.

  The government has been creating “chiefs” for a number of years, as in CXOs. The “X” can be human capital, financial, information, information security, knowledge or technology. (There are even more in the private sector.) Is it the CISOs and CIOs that might be stumbling over the same territory in the next administration?

  Sen. Tom Carper (D-Del.) is creating a bill known as the Federal Information Infrastructure Response Enhancement Act. This klutzily-named law would expand CISOs' powers to act in the event of cyber threats, including cutting off users or groups with security problems or who violate policies. CISOs would no longer report to CIOs.

  Carper's bill would also establish a new council for CISOs.

  Meanwhile, Carper has also sponsored S. 3384, which would plop a new layer of oversight on federal IT projects. The Information Technology Investment Oversight Enhancement and Waste Prevention Act would require CIOs and, presumably program managers and even agency heads, to send special reports to Congress when a project reaches 20 percent over cost estimates.

  NextGov reports that the bill has bipartisan Senate support.

  Bottom line: As the tinkering continues, CIOs are likely to lose a little maneuvering room, while CISOs gain some.

  Return to top

---

• Air Force, NOAA Better Not Make It Seem Too Easy — or Cheap

  Suppose the Department of X wanted to make a 20% improvement in response times to, say, grant requests or settling some benefits claims. It would probably request a few hundred million dollars, maybe a billion, for a project to get it done.

  The National Oceanic and Atmospheric Administration wants to improve the forecasting of hurricane vectors and intensities by 20 percent. So the Bush administration has upped its fiscal 2009 request for NOAA hurricane research more than fourfold.

  To $17 million. Yes, a mere $17 million. The research involves boosting supercomputing which, while expensive by PC standards, has become exponentially more affordable in recent years. Scientists need ever more computing power so they can run more complex algorithms.

  As the cliché goes, an increase in the request from $4 million for hurricane research to $17 million is, in federal terms, a rounding error. Consider that in light of the $400 million bioresearch lab that Homeland Security is establishing in beautiful Flora, Mississippi.

  Meanwhile, a recent Air Force press release detailed how one Staff Sgt. Ray Stetler, working in Ali Base, Iraq, responded to a request that commanders be able to listen in to operations of MQ-1 Predator unmanned aerial vehicle operations.

  Stetler: “I terminated a network connection cable inside the headset coming from the wire harness and connected it to the conference call terminations on the circuit board inside the VOSIP [voice over SIPRnet] phone.” Voila, as operators do their work, they can simultaneously communicate with distant officers.

  Sgt. Stetler spent five hours doing the modification, and spent a total of $1.

  One wonders what a contractor might have charged for the work.

  Return to top