New Service to Better Protect Federal Government Computers from Attack

Civilian federal government agencies now have quicker access to expertise and support services they need to protect their electronic information from security threats such as computer viruses and hackers.

The Commerce Department's National Institute of Standards and Technology announced today the establishment of a Federal Computer Incident Response Capability (FedCIRC), made possible by start-up funding from the Government Information Technology Services Innovation Fund. The new initiative combines the experience and expertise of the Defense Advanced Research Projects Agency's CERT(SM) Coordination Center located at the Software Engineering Institute and the Department of Energy's Computer Incident Advisory Capability located at the Lawrence Livermore National Laboratory. FedCIRC expands their reach to offer coordinated incident-response services to the whole civilian federal government.

"Each federal agency simply can't afford to do this on its own," said Patricia Edfors, the GITS Board champion for security and privacy. "I believe it's critical that NIST, which is so highly trusted in computer security, is teaming with the proven expertise of the CERT/CC and CIAC to provide this incredibly vital service."

Increasing reliance on computer networks means federal government agencies face threats that could jeopardize information technology systems needed to do the government's business. Tax documents, private medical records, delicate research protocols and sensitive diplomatic materials are at risk when viruses, software vulnerabilities and direct attacks compromise the systems on which they reside.

"Sharing vulnerability information and the ways to protect yourself minimize the damage and prevent future incidents," said Marianne Swanson, a computer specialist in NIST's Computer Security Division.

The new service will use $2.79 million the first year and $1.9 million the second year to launch the service. FedCIRC is expected to be self-funding through subscription fees by the end of year two. In addition to undertaking their scaled-up responsibilities for serving all federal civilian agencies, the CERT Coordination Center and CIAC will continue to perform their existing functions.

FedCIRC offers a wide range of services—from seminars and a resource clearinghouse to on-site security evaluations and 24-hour emergency support—that allows agencies to handle security breaches by supplementing their own operations or by depending primarily on FedCIRC. Agencies who subscribe to FedCIRC will benefit from services such as technical assistance in identifying and solving vulnerabilities, advisories that warn of recent incidents, guidelines on implementing "fixes" and coordination with other incident-response organizations.

The Office of Management and Budget requires in its revised Circular A-130 Appendix III that agencies be able to respond to security incidents in a manner that both protects their own information and helps to protect the information of others who may be affected by an incident. FedCIRC supplements, but does not replace, an agency's in-house response capability. Each federal government agency should have a central point of contact to handle basic questions from their constituency.

A one-day seminar that explains FedCIRC will be held in Arlington, Va., on Nov. 7 for federal civilian agencies. Additional information on the seminar or FedCIRC is available from the FedCIRC office at (301) 975-4369 or on the World Wide Web at http://csrc.nist.gov/fedcirc.

A non-regulatory agency of the Commerce Department's Technology Administration, NIST promotes U.S. economic growth by working with industry to develop and apply technology, measurements and standards.

CIAC is DOE's computer security incident response team. CIAC handles computer security incidents through damage assessment, software "patches" when necessary and advice to site personnel on recovery procedures. CIAC also provides training and education and acts as a center of excellence on computer security matters, carefully tracking the latest technology trends, products and system network security threats and vulnerabilities. The CERT Coordination Center is located at the Software Engineering Institute and is operated by Carnegie Mellon University in Pittsburgh, Pa.

The CERT Coordination Center is chartered to work with the Internet community in detecting and resolving computer security incidents and taking steps to prevent future incidents.

CERT is a service mark of Carnegie Mellon University (CMU).