Information assurance: Integrators gear up for the next big thing

When information assurance experts at SRA International Inc., Fairfax, Va., want to show their government clients the full range of possible security risks they face, they sometimes dispatch someone to an agency office to sneak in the front door and try to steal a computer. Or, with the permission of the agency heads, the visitor might try to find an empty conference room with an open jack to the company's network.The physical aspect of cybersecurity is one few people think about, but the threat exists, said Mary Ellen Condon, director of SRA's information assurance office."Any organization has people coming in and out: maintenance personnel, potential clients," Condon said. This is how a criminal can steal valuable data, she said.SRA's unusual tactic is a good indicator of how broad the field of information assurance truly is. Although the term "information assurance" doesn't appear to drive many contracts coming from the federal government, it is on the minds of agency heads, who often request information assurance-related work in different pieces, such as contracts for security, disaster recovery or public key infrastructure.But what agencies need most, said industry officials, are integrators that can help them see the big picture, to see how the multitudinous aspects of protecting data fit together to create enterprisewide information assurance. And this enables agencies to make tough decisions about how much protection they need."Integrators bring expertise to the agency. We bring the talent and the experience to help them create their information assurance plans," said Jim Hogler, vice president and division manager of the information assurance division for CACI International Inc., Arlington, Va."Agencies don't buy individual products in a standalone fashion. They have a need to do an enterprise operation. So they will hire an integrator to put together a system of products that work together in an effective manner," said Ron Ross, director of the National Information Assurance Partnership, a collaboration between the National Security Agency and the National Institute of Standards and Technology to establish a framework for security testing of commercial software.The government information assurance market is expected to grow 15 percent to 20 percent annually for the next five years, according to an October 2001 report by Government Electronics and Information Technology Association. GEIA said the government market for the various components of information assurance, pegged at $2 billion to $3 billion today, will grow to an estimated $9 billion by 2006.Before Sept. 11, the demand for information assurance was driven to some degree by executive and legislative mandates. For example, in May 1998, President Clinton issued Presidential Decision Directive 63 in response to the 1995 Oklahoma City bombing, setting up guidelines to protect national infrastructures, such as telecommunications, banking and finance, energy, transportation and essential government services.On the legislative side, the Health Insurance Portability and Accountability Act and the Government Paperwork Elimination Act are driving online government services that require heightened sensitivity to security and information validity.While these mandates continue to focus agency attention on information assurance, government and industry officials agree that the terrorist threat has dramatically ratcheted up activity in past months."We have seen a tremendous allocation of funding for information assurance," said Steve Hutchens, director of security solutions for global public sector at Unisys Corp., Blue Bell, Pa. Hutchens' department hired 10 people in the last three weeks of May, in part because of increasing information assurance-related work.Since Sept. 11, Oracle has seen heightened interest from agencies who already use the company's databases but now are interested in deploying the company's advanced encryption, backup, load balancing, auditing and other security-related features, said Dave Carey, vice president of information assurance for Oracle Corp., Redwood Shores, Calif."Before Sept. 11 you had to explain what the threats were," Carey said. "You don't have to do that now. People know what the threats are."To a large degree, agencies continue to request information assurance-related work as smaller pieces of a larger puzzle. At Unisys, for example, Hutchens said he sees a wide range of requirements coming from agencies, such as network assessments, assisting certification and accreditation, and enabling PKI."There is no single category of service that dominates," he said.Even agencies that approach information assurance from an enterprisewide perspective are not relying on just one integrator, he said. One company might be asked to provide network security, while another provides training. Usually, a "single integrator does not go in and do a soup-to-nuts approach," Hutchens said.Hogler said CACI divides up the tasks of information assurance into a number of different steps along a continuum: defining policies and procedures, designing and implementing the architecture, certifying the systems, education and training of personnel, and system monitoring and program management.Typically, an integrator may execute just one of the steps for an agency, though as a relationship and a knowledge base builds between the integrator and agency, more work may follow."If an agency gets a good integrator to work with, the work expands across the enterprise," Hogler said.CACI has completed information assurance work for the Federal Aviation Administration, the Office of Personnel and Management and other agencies. Under the General Services Administration's Safeguard contract vehicle, the company was awarded a five-year, $31.5 million contract to help the U.S. Customs Service develop information assurance plans and policies, deliver training, establish a security architecture and maintain incident response capabilities."We approach security very holistically. We look at the personnel, the process and the technology that are relevant at supporting informational assurance activities," said SRA's Condon.Condon said information assurance isn't just about security; it's about the entire business process, guaranteeing that customers are getting what they pay for and that the information is not being used improperly.Every link is critical to maintaining the integrity of an agency's information, said NIAP's Ross. There are technical components, such as firewalls and public key infrastructure, as well as nontechnical components, such as guards and gates.But agencies also must assure that employees are cleared to perform sensitive work and to implement programs to educate people on topics such as the proper way to choose passwords."All of this makes for a big puzzle," Ross said.And an expensive puzzle, as agencies are finding that a perfect information assurance solutions is prohibitively expensive. "It's very costly to protect systems," said Mike Grady, vice president and chief technology officer of the Office of Technology, Engineering and Quality for Northrop Grumman Information Systems, a division of Northrop Grumman Corp., Los Angeles. Agencies with limited budgets are faced with making cost-value trade-offs, which private industry has been faced with for years. Banks, for instance, could make credit cards more secure, but they weigh that extra cost against the risk of credit card fraud.The question is how much do they want to pay for security and how much risk are they willing to accept now, Grady said."Agencies are recognizing they need to think about what their requirements are in some organized way. Doing up-front work in this way will save you money in the long run," said Richard Wilhelm, vice president for Booz Allen Hamilton Inc., McLean, Va. Booz Allen has completed numerous large-scale information assurance projects for clients, such as the FBI and the Department of Defense.With the deadline of the Government Paperwork Elimination Act set for this October, many agencies are looking to PKI implementations as a component of their electronic systems, said Wilhelm, who works in the company's strategic security practice. But offices reacting too quickly to the mandate may be purchasing PKI-based systems they may not need, he said.Booz Allen has found that only 20 percent of the digital transactions required by GPEA actually need to be authenticated, Wilhelm said. By not deploying PKI systems in all electronic systems, agencies can save a good deal of money."In the end, it is all about risk and managing risk," Ross said. No systems are completely secure.So the question is not whether or not an agency will have secure systems, but what level of risk the agency is willing to take."And that will be different for every organization," Ross said.XXXSPLITXXX-Between hacker break-ins and the viruses running amuck these days, the distinction between "information assurance" and the far-more-discussed "information security" may seem blurry. In fact, information security is only a subset of information assurance."Information assurance deals with the protection of information. Information security deals with the protection of the infrastructure over which the information flows," said Jim Hogler, vice president and division manager for the information assurance division of CACI International Inc., Arlington, Va.Securing information may include components such as computer firewalls, network intrusion detection software and virus protection software. Integration contracts for security may also delve into personnel and administrative training.Assurance of information also involves aspects falling outside the security realm, such as records management and disaster recovery.Mike Grady, vice president and chief technology officer of the Office of Technology, Engineering and Quality for Northrop Grumman Information Systems, a division of Northrop Grumman Corp., Los Angeles, said organizations look for five elements in information assurance plans:While security runs through all of these elements, they present other requirements as well. Data availability may involve load-balancing among multiple servers during times of heavy traffic. It may also involve disaster recovery plans ? also known as business continuity ? so data will be available during times of crisis. Non-repudiation and authentication assures that data can be legally binding to those who have created it, and so involves authentication services and records management software."Information assurance is the confidence to conduct your mission in a presumed hostile environment," Hogler said.XXXSPLITXXX-Beginning next month, integrators building systems that involve national security could face limited choices in the types of information technology they deploy. That's because the National Security Telecommunications and Information Systems Security Policy No. 11 is set to kick in.If this mandate is enforced, agencies will have to use only technology that has been validated to meet information assurance requirements for secure networks, said Ron Ross, director of the National Information Assurance Partnership, a collaboration between the National Security Agency and the National Institute of Standards and Technology to establish a framework for security testing of commercial software.Given the events of Sept. 11, the industry view is that the mandate will be far-reaching, touching systems not generally regarded as high security. For example, the Defense Integrated Military Human Resource System, the Defense Department's unified payroll system now in the solicitation stage, likely will be subject to Policy 11 requirements, said Mary Ann Davidson, chief security officer for Oracle Corp., Redwood Shores, Calif."The question has come up: 'Does NSTISSP apply?' And, apparently, the determination has been made that it does," Davidson said.The Navy-Marine Corps Intranet is another project that should fall under the new policy mandate, said Eric Mazzacone, a spokesperson for the Navy's Program Executive Office of Information Technology. This $6.9 billion contract is held by Electronic Data Systems Corp., Plano, Texas.Established by National Security Directive No. 42, dated July 1990 and issued by the Department of Defense's National Security Telecommunications and Information Systems Security Committee (now the Committee on National Security Systems), this policy mandates that by July, all commercial software used in government systems that process, store and transmit national security information must be certified by one of several organizations or validation programs.While these mandates have been in place for some time, procurement officers could issue waivers to bypass the policy. But industry is getting signals the Department of Defense "is now getting serious about enforcing it," Davidson said.For more information on Policy 11, see . For a list of validated equipment, see .XXXSPLITXXX-Should a hurricane or terrorist strike ravage an AT&T Corp. Internet data center or switching office, the company is ready to get it back online. Showing what an expensive proposition information assurance can be, the New York-based telecommunications company has invested $300 million into what it calls its Network Disaster Recovery Team, which includes more than 100 tractor trailers filled with networking equipment ready to be dispatched at a moment's notice.The company said that once a calamity strikes, services can be restored to any of its facilities around the country within 36 hours, allowing customers to get their data and business processes back online quickly. In May, the company held a field exercise in which the big rigs rolled into its Ashburn, Va., Internet Data Center, pictured here. XXXSPLITXXX-Upcoming contracts focused on information assurance and security or contracts with a large security component.UndeterminedSupport PKI implementationJune $250 million Information security services July$900 millionSupport standard automated information systems through 2025.January 2005 $2 billion Logistics support for the Defense intelligence information services and command and control units worldwide. May$800 millionProvide hardware, software and professional services to create an integrated system of battlefield processors.December$1 billionThe European portion of the Defense Information Systems Network.On hold, requirements being reviewed.$600 millionOutsourcing contract to provide telecommunications integration services.September$1.2 billionImmigration and Naturalization Services has a requirement for information resource managementAugust 2002Source: InputXXXSPLITXXX-The Defense Department Information Assurance Services or I-Assure contract and the General Services Administration's Safeguard program are two of the major vehicles for agencies to buy information assurance and security services.The big winners under Safeguard, which was awarded to 27 companies, are CACI International Inc. with $7.2 million in task orders during 2001, Northrop Grumman Corp. with $6.7 million, Science Applications International Corp. with $3.9 million and Booz Allen Hamilton Inc. with $3 million.The I-Assure contract, awarded to 11 companies, has been dominated by Computer Sciences Corp. with 268 task orders, worth a total of $147 million through fiscal 2001 ? 68 percent of the work under I-Assure.The Defense Department Information Assurance Services or I-Asssure contract and the General Services Administration's Safeguard prgram are two of the major contract vehicles for agencies to buy information assurance and security services. Affiliated Computer Services Inc. Artel Inc. Computer Sciences Corp. Electronic data Systems Corp. Northrop Grumman Corp. Pragmatics Inc. Science Applications International Corp.SRA International Inc. Veridian Corp. Wang Government ServicesAffilicated Computer Services Inc.Anteon Corp.AT&T Corp. BBNT Solutions LLCBooz Allen Hamilton Inc.CACI International Inc. Computer Sciences Corp.Collins Consulting GroupDynCorpElectronic Data Systems Corp.Electronic Warfare AssociatesIBM Corp.KPMG Consulting Inc. L & E Associates Lockheed Martin Corp.NCS Pearson Inc. Northrop Grumman Corp.Science Applications International Corp.SRA International Inc.STG Inc.Telos Corp.Titan Corp.TRW Inc. Unisys Corp.Source: InputXXXSPLITXXX-More than half the undergraduates enrolled in the management of information systems degree program at Western Connecticut State University in Danbury are taking the information security track, according to Marie Wright, associate professor of management information systems.The university first offered the information security track in 1999. Ninety percent of undergraduate MIS students now take at least one information security course, she said."When we started this, I don't think we anticipated the intense student demand for the course and the program," said Wright, who teaches two introductory classes and believes demand could support two more.Western Connecticut and Norwalk Community College in Norwalk, Conn., are planning a joint computer security degree program that is on track to launch this fall. Students will earn an associate's degree in computer science at Norwalk, and then move to Western Connecticut, where they will earn a bachelor's degree in management information systems with a specialization in information security. Wright expects the program will be an immediate success."Security has been a growing concern for a long time, and it has been magnified since Sept. 11. Having undergraduates walk out with a solid foundation is a win-win situation for students and businesses," Wright said.Two recent studies have highlighted the importance of information security professionals. The annual IT work-force study released in May by the Information Technology Association of America, Arlington, Va., noted information security skills are especially critical for network designers and administrators.The annual Computer Crime and Security Survey, conducted with the FBI and released in April by the Computer Security Institute in San Francisco, found that 90 percent of 503 computer security professionals ? primarily in large corporations and government agencies ? had identified information security breaches in the last 12 months. Forty-three percent were willing or able to identify their resulting financial losses, which surpassed $455 million.Colleges and universities are essential to continued development of the information security work force, said Alan Paller, director of research for the SANS Institute, Bethesda, Md., which provides technical training and tests skills through the Global Information Assurance Certification program."[Colleges] are the only ones local enough to do it and keep their costs low enough," Paller said. Organizations such as SANS, he said, can take students to the next level after they have substantial on-the-job experience.But educators say they don't have the resources to meet demand."All the universities working together can't turn out the number of graduates to meet the demands of our government and industry," said Allan Berg, deputy director of the Commonwealth Information Security Center at James Madison University in Harrisonburg, Va. JMU is one of 36 schools named a center of academic excellence in information assurance education by the National Security Agency. The $9 million security center was established May 24 by Gov. James Gilmore to help combat attacks on computer systems."You have a shortage of faculty across the board, and a lot of folks that get advanced degrees get snapped up by industry," Berg said. Many professionals who could teach instead choose to make more money in industry, he said."We are one of those organizations snatching up their graduates," said Steve Hutchens, director of security solutions for the global public sector business of Unisys Corp., Blue Bell, Pa.Hutchens said Unisys is interested in candidates with college degrees, and prefers information security programs such as JMU's.The company also tends to recruit individuals who are certified, Hutchens said. In addition to the SANS Institute, the International Information Systems Security Certification Consortium Inc., Framingham, Mass., also provides information security certification. Many information security professionals hold certifications from both SANS and (ISC)2."We've actually seen [requests for proposal] over the last several months that have specified the contractor must provide people with one of these certifications," Hutchens said. Employers hiring these newly minted graduates say on-the-job experience is just as important, if not more important, than education. Wright said most students in the Western Connecticut program complete internships in their junior and senior years."If they don't have experience, it doesn't matter if they have a Ph.D. In our situation, it may be more advantageous to hire someone who has worked for 10 years with a firewall the customer has," said Randy Richmond, group manager for Verizon federal network systems.Ryan Wagner, a senior computer science major at the Massachusetts Institute of Technology in Cambridge, Mass., is doing his best to get experience before leaving academia. He'll stay at MIT next year to pursue a master's degree, and afterward wants to work in computer security.Through an on-campus internship, Wagner is learning to add crytography to a computer program developed at MIT."I've had to learn C, about the Unix operating system, and about cryptography, and be comfortable enough with it that I can implement it properly," he said. Wagner recognized that hands-on experience is essential."You can [just] read a book ? and then leave a gaping hole in what would otherwise have been a secure program," he said.