Information assurance: Integrators gear up for the next big thing
Although the term "information assurance" doesn't appear to drive many contracts coming from the federal government, it is on the minds of agency heads, who often request information assurance-related work in different pieces, such as contracts for security, disaster recovery or public key infrastructure. But what agencies need most, said industry officials, are integrators that can help them see the big picture, to see how the multitudinous aspects of protecting data fit together to create enterprisewide information assurance.
When information assurance experts at SRA International Inc., Fairfax, Va., want to show their government clients the full range of possible security risks they face, they sometimes dispatch someone to an agency office to sneak in the front door and try to steal a computer. Or, with the permission of the agency heads, the visitor might try to find an empty conference room with an open jack to the company's network.
The physical aspect of cybersecurity is one few people think about, but the threat exists, said Mary Ellen Condon, director of SRA's information assurance office.
"Any organization has people coming in and out: maintenance personnel, potential clients," Condon said. This is how a criminal can steal valuable data, she said.
SRA's unusual tactic is a good indicator of how broad the field of information assurance truly is. Although the term "information assurance" doesn't appear to drive many contracts coming from the federal government, it is on the minds of agency heads, who often request information assurance-related work in different pieces, such as contracts for security, disaster recovery or public key infrastructure.
But what agencies need most, said industry officials, are integrators that can help them see the big picture, to see how the multitudinous aspects of protecting data fit together to create enterprisewide information assurance. And this enables agencies to make tough decisions about how much protection they need.
"Integrators bring expertise to the agency. We bring the talent and the experience to help them create their information assurance plans," said Jim Hogler, vice president and division manager of the information assurance division for CACI International Inc., Arlington, Va.
"Agencies don't buy individual products in a standalone fashion. They have a need to do an enterprise operation. So they will hire an integrator to put together a system of products that work together in an effective manner," said Ron Ross, director of the National Information Assurance Partnership, a collaboration between the National Security Agency and the National Institute of Standards and Technology to establish a framework for security testing of commercial software.
The government information assurance market is expected to grow 15 percent to 20 percent annually for the next five years, according to an October 2001 report by Government Electronics and Information Technology Association. GEIA said the government market for the various components of information assurance, pegged at $2 billion to $3 billion today, will grow to an estimated $9 billion by 2006.
Before Sept. 11, the demand for information assurance was driven to some degree by executive and legislative mandates. For example, in May 1998, President Clinton issued Presidential Decision Directive 63 in response to the 1995 Oklahoma City bombing, setting up guidelines to protect national infrastructures, such as telecommunications, banking and finance, energy, transportation and essential government services.
On the legislative side, the Health Insurance Portability and Accountability Act and the Government Paperwork Elimination Act are driving online government services that require heightened sensitivity to security and information validity.
While these mandates continue to focus agency attention on information assurance, government and industry officials agree that the terrorist threat has dramatically ratcheted up activity in past months.
"We have seen a tremendous allocation of funding for information assurance," said Steve Hutchens, director of security solutions for global public sector at Unisys Corp., Blue Bell, Pa. Hutchens' department hired 10 people in the last three weeks of May, in part because of increasing information assurance-related work.
Since Sept. 11, Oracle has seen heightened interest from agencies who already use the company's databases but now are interested in deploying the company's advanced encryption, backup, load balancing, auditing and other security-related features, said Dave Carey, vice president of information assurance for Oracle Corp., Redwood Shores, Calif.
"Before Sept. 11 you had to explain what the threats were," Carey said. "You don't have to do that now. People know what the threats are."
Puzzle pieces vary
To a large degree, agencies continue to request information assurance-related work as smaller pieces of a larger puzzle. At Unisys, for example, Hutchens said he sees a wide range of requirements coming from agencies, such as network assessments, assisting certification and accreditation, and enabling PKI.
"There is no single category of service that dominates," he said.
Even agencies that approach information assurance from an enterprisewide perspective are not relying on just one integrator, he said. One company might be asked to provide network security, while another provides training.
Usually, a "single integrator does not go in and do a soup-to-nuts approach," Hutchens said.
Hogler said CACI divides up the tasks of information assurance into a number of different steps along a continuum: defining policies and procedures, designing and implementing the architecture, certifying the systems, education and training of personnel, and system monitoring and program management.
Typically, an integrator may execute just one of the steps for an agency, though as a relationship and a knowledge base builds between the integrator and agency, more work may follow.
"If an agency gets a good integrator to work with, the work expands across the enterprise," Hogler said.
CACI has completed information assurance work for the Federal Aviation Administration, the Office of Personnel and Management and other agencies. Under the General Services Administration's Safeguard contract vehicle, the company was awarded a five-year, $31.5 million contract to help the U.S. Customs Service develop information assurance plans and policies, deliver training, establish a security architecture and maintain incident response capabilities.
"We approach security very holistically. We look at the personnel, the process and the technology that are relevant at supporting informational assurance activities," said SRA's Condon.
Condon said information assurance isn't just about security; it's about the entire business process, guaranteeing that customers are getting what they pay for and that the information is not being used improperly.
Every link is critical to maintaining the integrity of an agency's information, said NIAP's Ross. There are technical components, such as firewalls and public key infrastructure, as well as nontechnical components, such as guards and gates.
But agencies also must assure that employees are cleared to perform sensitive work and to implement programs to educate people on topics such as the proper way to choose passwords.
"All of this makes for a big puzzle," Ross said.
And an expensive puzzle, as agencies are finding that a perfect information assurance solutions is prohibitively expensive.
"It's very costly to protect systems," said Mike Grady, vice president and chief technology officer of the Office of Technology, Engineering and Quality for Northrop Grumman Information Systems, a division of Northrop Grumman Corp., Los Angeles. Agencies with limited budgets are faced with making cost-value trade-offs, which private industry has been faced with for years. Banks, for instance, could make credit cards more secure, but they weigh that extra cost against the risk of credit card fraud.
The big picture
The question is how much do they want to pay for security and how much risk are they willing to accept now, Grady said.
"Agencies are recognizing they need to think about what their requirements are in some organized way. Doing up-front work in this way will save you money in the long run," said Richard Wilhelm, vice president for Booz Allen Hamilton Inc., McLean, Va. Booz Allen has completed numerous large-scale information assurance projects for clients, such as the FBI and the Department of Defense.
With the deadline of the Government Paperwork Elimination Act set for this October, many agencies are looking to PKI implementations as a component of their electronic systems, said Wilhelm, who works in the company's strategic security practice. But offices reacting too quickly to the mandate may be purchasing PKI-based systems they may not need, he said.
Booz Allen has found that only 20 percent of the digital transactions required by GPEA actually need to be authenticated, Wilhelm said. By not deploying PKI systems in all electronic systems, agencies can save a good deal of money.
"In the end, it is all about risk and managing risk," Ross said. No systems are completely secure.
So the question is not whether or not an agency will have secure systems, but what level of risk the agency is willing to take.
"And that will be different for every organization," Ross said.