Find a Security Clearance Job!

Homeland Security



Cyber Security: The Status of Information Security and the Effects of the Federal Information System Management Act at Federal Agencies

US Department of State


  Bruce Morrison, Acting Chief Information Officer
  Testimony Before Subcommittee on Technology, Information Policy,
  Intergovernmental Relations and the Census
  Washington, DC
  June 24, 2003

  As Delivered

  Good Morning Mr. Chairman and Members of the Committee. I am honored to be here
  and appreciate the opportunity to discuss information security at the
  Department of State. With your permission, I will submit my written testimony
  for the record.

  While we are not yet where we would like to be in cyber security, I would like
  to take this opportunity to report on the initial stages of improving our
  program.

  I would like to state that we at the State Department have the highest level of
  support from Secretary Powell and Under Secretary for Management Green.
  Secretary Powell considers Information Technology [IT] and Security to be a
  strategic component in implementing U.S. foreign policy.

  Let me summarize of IT Security at State

  We have long established a strong perimeter defense with technical, physical,
  and personnel controls, anti-virus, firewalls, intrusion detection, and
  incident reporting.

  However, we realize that a sound cyber security program is built upon a
  defense-in-depth strategy that includes management controls as well as
  technical and operational measures. What we have lacked in the past is a
  comprehensive management structure and a serious Systems Authorization program.

  A New Day

  It is a new day at State, with the convergence of several events bringing a
  fresh approach and commitment to cyber security. First, GISRA [Government
  Information Security Reform Act] and then FISMA [Federal Information System
  Management Act] focused top management attention on cyber security. Second, we
  have new cyber security leadership at State   I stepped into the position of
  acting CIO [Chief Information Officer] six months ago. Additionally, there is a
  new Assistant Secretary for Diplomatic Security with whom we collaborate
  closely. Finally, OMB [Office of Management and Budget]  very helpfully
  mandated that we authorize all systems by 4th Quarter FY 2004.

  Our new organization is giving birth to a new cyber security culture, and is
  producing results. We have a new Office of Information Assurance headed by a
  senior officer reporting directly to me. This office handles IT security
  policy, program management, performance measures, risk management, and
  reporting.

  There is increased Department-wide cyber security focus as all offices are now
  involved to some degree in cyber security through the Plans of Actions &
  Milestones (POA&Ms) process and awareness programs. As I mentioned, there is
  excellent rapport and collaboration between the CIO and the Bureau of
  Diplomatic Security on all aspects of cyber security. A similarly cooperative
  partnership exists with the Chief Financial Officer on Critical Infrastructure
  protection and the information technology budget.

  We have a senior-level, multi-disciplinary Cyber Security Advisory Group. There
  is a close working relationship with the Office of the Inspector General [IG].
  In bi-weekly meetings with the IG, we discuss a variety of cyber security
  issues with FISMA requirements and systems authorization taking center stage.

  Security and Capital Planning and Investment Control (CPIC)

  State has recently established an E-Gov Program Board chaired by Under
  Secretary for Management Green to manage all IT funds.

  Information Assurance experts now review every IT system budget request to
  assure that appropriate security considerations are budgeted and executed.

  Cyber security is represented at all levels of the budget process. We have
  initiated ongoing training for Systems Owners on completing the security part
  of budget submissions.

  Systems Authorization

  We have developed a new process for IT, which is a hybrid of NIACAP [National
  Information Assurance Certification and Accreditation Process] and NIST
  [National Institute of Standards and Technology] guidance and categorizes
  systems by type and security classification level. The plan was developed and
  submitted to OMB in March and budgeted in mid-April. We are on track with 10%
  of our systems done and with goals of 33% by August 2003 and 100% by August
  2004.

  Institutionalizing Cyber Security

  We are taking specific steps to institutionalize cyber security management and
  practices. New systems are addressing security from the outset and will undergo
  C&A [Certification and Accreditation] so that they are authorized before being
  put into operation. In our future budgets, requests will include security
  costs. Regular awareness sessions for all users, establishing a cyber security
  corps and mandatory training for the security practitioner will assist in
  institutionalizing cyber security throughout the Department.

  In summary, FY 2003 Progress

  We are still in the early stages of creating a comprehensive cyber security
  program but we have made great strides over the past few months. This progress
  contributed to our PMA [President s Management Agenda] score of  green  for
  E-Gov progress.


  [End]



NEWSLETTER
Join the GlobalSecurity.org mailing list