Don’t Fear Trusted Internet Connections Deadline, OMB Tells Agencies
Two months before jittery agencies must obey Office of Management and Budget mandates, Karen Evans, OMB administrator for e-government and information technology, reminded agencies that they had certified their progress several times. The requirements concern the longstanding IPv6 transition, federal desktop core configuration standards and the five-month-old Trusted Internet Connections (TIC) initiative. Evans spoke Tuesday at a Federal Computer Week conference.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
“It’s not like we just all like June,” Evans said, a nod to the June 30 deadline for compliance. The OMB considers TIC largely accomplished through ongoing efforts, including Networx federal IT contracts and a two-factor authentication effort known as HSPD-12. In February the General Services Administration and Defense Department made a similar it’s-largely-done pitch to agencies on the IPv6 deadline (WID Feb 14 p5). “We're taking your word from everything you said you were doing,” such as completing statements of work for vendors and validating agency inventories, Evans said.
Agencies reduced external network connections to “around” 230 from 4,000 by April 15, Evans said. The TIC target is 50 connections, based on 26 evaluated agencies having one main external connection and a backup, she said. After plans are in, OMB will study applications to decide if larger agencies can serve as Internet access providers for smaller ones that don’t want to run their own networks.
Evans lightly scolded agencies for largely missing the two-factor authentication deadline. They need not wait to issue new identification cards and buy encryption tools via a DoD-GSA project, she said. The desktop configuration program -- under which agencies must standardize configuration of 300 settings for Windows XP and Vista machines -- also presents agencies with a June 30 deadline by which they must tell vendors that they must sell software “certified” to run on the configurations. The OMB soon will release a memo defining what counts as certified, Evans said, and check a sample of desktops after the deadline, to ensure that the configuration works.
A special publication on using DNS Security Extensions, or DNSSEC, is coming “shortly” from the National Institute of Standards and Technology, Evans said, declining to give a fixed date. The GSA and the Department of Homeland Security are in charge of implementation and will review agency policies. Evans said the OMB learned recently that one agency had a great deal of data on a .org address. Agencies are supposed to use .gov.
TIC as ‘Brakes on a Car’
The TIC initiative isn’t a “big bullseye” on consolidated federal networks for hackers to target, said Randy Vickers, deputy director of the U.S. Computer Emergency Readiness Team at DHS, on a second panel. “We're not going to become Estonia,” he said, a reference to Russian-traced cyberattacks that largely shut down government and business in the country for two weeks last year. “We put brakes on a car to go faster,” and protected networks can similarly be used for better applications, he said.
“People get spooked at the number 50,” though there are far fewer connections between tier one service providers, said Wesley Kaplow, chief technology officer in Qwest’s government services division. TIC equipment can be installed relatively easily at distribution centers using specially designed routers, he said. The Department of Interior has reduced its external connections from 33 to five, said Chief Information Officer Tim Quinn, and has been using DHS’s Einstein network monitoring tool for two years. It’s mulling over applying to become an access provider to other agencies, he said.
Einstein, currently used for perimeter monitoring, will evolve into more of an intrusion detection system in the future, not looking for personal information but “known bad activity,” Vickers said. Asked by an audience member why DHS couldn’t simply install Einstein on every tier one service provider connection for .gov domains, Kaplow said Qwest had done some analysis of the technical feasibility of doing so: “We would entertain looking at it” further.