Feds’ Security Move: Reduce ‘Net Connections

Federal agencies continue to report that they’re making progress on a governmentwide initiative aimed at reducing their exposure to Internet-based threats, according to Karen Evans, the de facto federal CIO. But she also disclosed that the effort to consolidate the government’s connections to the Net has been scaled back because of feedback from agency officials. During a press conference Thursday, Evans, whose official title is administrator of e-government and IT at the White House Office of Management and Budget, provided a status update on the Trusted Internet Connections (TIC) initiative launched by the OMB last November. As part of the effort (download PDF), civilian agencies are working to reduce the number of external Internet connections that they have in place.

The goal is to lower the risk that government systems will be hit by online attacks, and to make it easier to monitor the Internet connections being used by agencies. Instead of having each individual agency manage its own connections, the plan is to have a small group of TIC Access Providers offering centralized connectivity and gateway monitoring services to some agencies.

Evans said that as of May, the number of external connections had been reduced from a total of more than 4,300 when the TIC initiative was announced to just over 2,750, based on reports submitted to the OMB by agencies. But she added that instead of whittling down the overall number of connections to 50, which is what the plan originally called for, the OMB now is looking to lower that number to about 100 by the end of 2009.

“Initially, we thought we could bring it down to 50,” Evans said. “Right now, based on feedback from agencies and the [General Services Administration], we have set the goal at less than 100.”

Thus far, two agencies have indicated their willingness to act as Internet access providers for other agencies, Evans said without identifying them. One has already demonstrated the technical and business capabilities needed to deliver access services beyond its own systems, while the other is about 90% of the way there and is working to close the remaining gaps in its capabilities, she said. Between them, those two agencies are expected to manage a total of seven Internet connections.

Another 16 agencies have shown themselves to be willing and able to act as their own Internet access providers, Evans said, adding that they likely will oversee a combined total of 72 connections under TIC. The remaining 121 agencies covered by the initiative will have their Internet connections managed via a GSA-approved access provider, according to Evans.

The number of connections eliminated thus far “is quick, impressive progress,” said Alan Paller, director of research at the SANS Institute, a Bethesda, Md.-based security training and certification organization. And for the most part, that progress has been “relatively painless” for federal agencies, he added. “The agencies trying to make it hard are just whining out of habit, as they do whenever they’re asked to do security,” said Paller, who is an advisor to the government on the TIC initiative.

TIC is a key component of a broader Cyber Initiative that was mandated by President Bush in a classified directive issued in January. The directive called on agencies to work together to improve the security of federal systems, which has routinely been criticized in congressional report cards and in reports issued by the Government Accountability Office.

Among other things, Bush’s mandate calls for expanded monitoring of federal networks in order to enable network administrators to detect intrusions and other malicious activities and then respond to them more quickly than they can now. In an interview earlier this year, Evans vowed that the efforts to improve security will be done “in a very transparent way,” without compromising the privacy of federal workers.