That, by and of itself, isn't the scary part. What is: The project costs per "averaged sized" agency, such as the Social Security Administration, are nearly $500 million to $800 million, according to Peter Alterman, Ph.D., the assistant CIO for e-authentication, and the chair of the Federal PKI Policy Authority.
And those half to billion dollar budgets don't include purchasing and deploying the nearly 40 million smart cards that federal government employees and contractors must possess to interface with the PKI system and enter government buildings, Alterman adds. Nor does it include the smart card readers required for each PC or doorway.
The PKI initiative is the government's response to security measures mandated by Homeland Security Presidential Directive 12 (HSPD-12) by President Bush in 2004. It is far and away the number one IT-focused security issue federal agencies must deal with in 2007.
One of the other rules, the Office of Management and Budget M-6-16 (OMB 6-16) directive, is only somewhat less onerous. It mandates using "only...two-factor authentication where one of the factors is provided by a device separate from the computer" (i.e., a hardware token) for remote access to government data.
The third major federal-related security issue, the reworking of the Federal Information Security Management Act (FISMA), is unlikely to impact federal agencies, at least near term in 2007. Less certain, however, is the affect that the naming of Greg Garcia, a former 3Com executive, as the new so-called "cybersecurity czar" will have on Department of Homeland Security (DHS) policies that influence federal agencies.
That federal agencies spend big on IT security isn't a major revelation. According to research firm INPUT, they'll pony up about $5.2 billion for IT security products and services in 2007; that climbs to $7.3 billion in 2011, according to Prabhat Agarwal, INPUT's manager of information security for the federal government.
HSPD-12 is the "biggie" here. It calls for every federal agency to have distributed smart cards to employees and contractors by October 27, 2006. The cards allow access to federal buildings and work in conjunction with a back-end PKI infrastructure to deliver authorized access to government data resources.
Twelve federal agencies are ahead of the curve, with PKI and card systems up and running, according to Agarwal. These include the Department of Defense, the National Space and Aeronautics Agency, DHS, the Department of Justice, and the Treasury Department. Their systems have been "cross-certified" to work with each other.
The remaining federal agencies are working with the Shared Services Provider program to deploy their PKI infrastructures, according to Alterman. He says his group, created by the Federal CIO Council in 1999, determines policies and selects vendors for the Shared Services Provider program, which was created to facilitate outsourcing of PKI services by federal agencies without the resources to do so themselves.
One factor limiting the roll-out: The government mandate requires using the next generation of smart cards, called Personal Identification Verification (PIV) card, which cards are only now coming to market, Alterman says.
To make things even worse for federal agencies, "very little of the money is being funded" by the federal government, he adds. "Agencies have to pay for this out of existing budgets, and most agencies have had retrenchment in their budgets over the last couple of years.
"This is an awkward time to levy a new security requirement without providing money for it," Alterman says. "The agencies will comply, but this has been a major issue for them."
Meanwhile, a congressional report in March giving the federal government a D+ grade on computer security for two years straight has opened debate about the relevance of the grading system.
"Because of inattention to information security in a multitude of federal agencies, clearly Congress will be more focused on whether they're doing their job," says Paul Kurtz, the executive director of the Cyber Security Industry Alliance (CSIA), a trade consortium.
What direction Greg Garcia, as assistant secretary for cyber security and telecommunications, will take remains unknown. Just having someone in that position after it was unoccupied for 14 months is a positive move, notes Kurtz.
One thing is certain: Garcia brings a wealth of IT-focused security experience to the job. He joins DHS after having served as the vice president of information security policy and programs for the Information Technology Association of America (ITAA), an industry trade association. Before that, Garcia served as a member of the professional staff, House Science Subcommittee on Research, where he managed science and research issues related to information technology. Earlier, Garcia served as Director of Global Government Relations and head of the Washington office for networking products vendor 3Com.
Garcia will find himself working with a Congress that will be focusing on "securing personal information" in the wake of the Veterans Administration "incident," in which a laptop with millions of veterans' personal information was stolen. "That clearly will be an issue Congress will bring up next year," Kurtz says.
-Jim Carr is an Aptos, Calif.-based freelance business and technology writer. Contact him at firstname.lastname@example.org.
The good and the bad
FISMA mandates agencies to develop inventories of IT resources and to test their systems for security vulnerabilities. They must also create remediation plans for potential attacks or outages. Reports prepared by agency CIOs and inspector generals must indicate whether their departments meet FISMA standards.
In the March 2006 report card, eight of the 24 agencies evaluated received F grades for 2005. In addition to the DHS and the DOD, agencies getting Fs included the departments of State, Energy, Interior, Agriculture, Veterans Affairs, and Health and Human Services. The grades for the DOD, Interior, and State fell from D, C+ and D+, respectively, in 2004.
Other agencies whose 2005 grades dropped from a year ago included the Department of Transportation (falling to a C- from an A-); the Department of Justice (to a D from a B-); and the Nuclear Regulatory Commission (to a D- from a B+). Seven agencies received grades of A- or better. The Department of Labor, the Social Security Administration, and the Environmental Protection Agency were among those with A+ grades.
At the other end of the spectrum, several agencies' scores jumped this year. The Office of Personnel Management saw its grade improve to an A+ from a C-, the National Science Foundation and the General Services Administration, climbed to an A and A-, from C+, and NASA's grade rose to a B- from a D-.
— Jim Carr