[ISN] GAO Faults 'Inconsistent' Online Security Programs

From: InfoSec News (isn@private)
Date: Fri Jan 16 2004 - 06:05:14 PST

  • Next message: InfoSec News: "[ISN] Researcher for whom exploit code means freedom of speech"

    http://www.informationweek.com/story/showArticle.jhtml?articleID=17301563
    
    By Eric Chabrow 
    Jan. 15, 2004 
    
    The federal government has spent about $1 billion on 89 public key
    infrastructure programs among 20 major agencies in recent years, but
    the results of those programs are mixed, according to a report issued
    by the General Accounting Office.
    
    PKI is a secure method for exchanging information within an
    organization, within an industry, nationwide, or worldwide.
    
    Implementing PKI poses a major challenge for agencies, Linda Koontz,
    GAO's director of information management issues, wrote in a letter to
    Reps. Tom Davis and Adam Putnam, who chair House panels with oversight
    on governmental IT use. The letter was dated Dec. 15, but released
    Thursday.
    
    GAO, the investigative arm of Congress, identified four major
    challenges:
    
    * Policy and guidance. Both are lacking or ill-defined in a number of
      areas, including technical standards and legal issues.
    
    * Funding. Besides the high costs associated with the technology, cost
      models are lacking, making accurate budgeting more difficult. In
      addition, costs are increased when systems must be designed to
      accommodate the uncertainty associated with undefined standards.
    
    * Interoperability. Integrating PKI systems with others such as
      network, security, and operating systems often requires significant
      changes or even replacement of systems.
    
    * Training and administration. Training is required for personnel to
      use and manage public key infrastructure, and basic PKI requirements
      and processes impose significant administrative burdens.
    
    Still, the GAO notes, the governmentwide Federal Bridge Certification
    Authority and Access Certificates for Electronic Services programs
    continue to promote the adoption and implementation of PKI, though the
    results of these programs have been inconsistent. The level of
    participation in the certification authority, which provides a way to
    link independent agency public key infrastructures into a broader
    network, is the same as in 2001, the last time the GAO examined the
    matter. Only four agencies are certified to operate through the
    network. Additional agencies plan to participate in the future, as
    well as nonfederal organizations, such as the state of Illinois, the
    Canadian government, and educational consortiums, GAO says.
    
    Similarly, the agency says, the electronic-services program, which
    offers agencies various PKI services through the General Services
    Administration, has garnered lower-than-expected participation among
    federal agencies. GSA plans to revise the pricing structure associated
    with the electronic-services program to improve participation levels.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Fri Jan 16 2004 - 09:26:22 PST