|
Wednesday, December 5, 2012
NOBLE 2013 William R. Bracey CEO Symposium. Baltimore, MD February 21, 2013
HSTODAY.COM: Authorities Seek More Integration Across Federal Screening and Credentialing Efforts
Authorities Seek More Integration Across Federal Screening and Credentialing Efforts
By: Mickey McCarter 12/03/2012 ( 8:00am)
Federal agencies could do more to integrate screening and credentialing efforts throughout government to ease the process of vetting multiple individuals multiple times -- whether for the benefits of security clearances, restricted access, or trusted traveling, experts agreed during a panel Thursday.
"This is an area where no one really cares until you screw up or until you make people wait too long," commented Monte Hawkins, at deputy group chief at the National Counterterrorism Center (NCTC).
A few of the challenges facing enterprise screening and credentialing systems throughout the government include too many redundancies and multiple screenings of the same traveler or applicant, said Hawkins, speaking at a forum sponsored by the Center for Strategic and International Studies in Washington, DC.
The intelligence community (IC) also must improve the collection of information to build up more biographic details, he said. Agencies could accomplish this perhaps through collection of more detailed information on applicants also thereby easing recurring vetting for periodic renewal of the benefits for trusted travelers or cleared personnel.
Hawkins also called for more automation in processing information.
"We have processes that have been in place now for a while that have been very manual" and thus very time consuming, Hawkins said. "You have to rely on automation to do this triage for you."
Hawkins recommended a reexamination of the overall screening architecture across agencies, calling for a structure similar to the National Targeting Center at the Department of Homeland Security (DHS) except at a higher, national level.
IC communications also remain very pocketed and segmented despite dramatic improvement over the last 10 years, Hawkins observed. Opening those communications up a bit more between agencies would allow authorities to "connect the dots" faster. And more interconnected communications would make it easier for agencies that engage in a lower priority screening, such as for benefits eligibility, to make faster and easier determinations.
Still, screening and credentialing has evolved to a point where authorities quickly and systematically can make use of information from intelligence and law enforcement databases, said Victoria Newhouse, deputy assistant administrator for risk-based security at the Transportation Security Administration (TSA).
For example, TSA fully implemented Secure Flight in late 2010 to do just that, Newhouse said. TSA matches traveler information against intelligence and law enforcement databases to quickly determine if a traveler poses a danger to aviation security.
Still, TSA would like to improve the speed with which it can verify the identities of passengers presenting identification cards or even those who lose their identification while on vacation, Newhouse commented.
TSA PreCheck represents the direction TSA is embracing with regard to applying different applications of screening to travelers, depending upon the perceived level or risk represented by individual air passengers, she continued. PreCheck does not involve less screening but rather more screening is done upfront, of biographical data for example, to determine if individuals should receive more or less scrutiny at airport checkpoints.
Boosting information collection and cooperation among agencies will be key drivers to successfully implementing risk-based security measures, Newhouse said. DHS agencies require more integration with partners outside the department and more harmonization within the department.
Kelli Ann Walther, senior director of the DHS Screening Coordination Office, said the department maintains a flexible screening and credentialing framework to accommodate 40 individual programs within the DHS screening portfolio.
Some screening programs require a robust background check while some are lighter, Walther noted, and appropriately so depending on the benefits derived from the screening outcome.
"That demonstrates that there isn't one solution for all screening and credentialing programs but really there are not 100 solutions either -- that's not the solution," Walther remarked.
By applying standards across newer agencies like TSA and older agencies like the US Coast Guard, DHS seeks to harmonize different approaches and multiple credentialing efforts to reduce redundant vetting, Walther said.
The department sets objectives to set up credentials for multiple purposes instead of a single use, to standardize vetting procedures, and to share vetting results across programs, Walther said. Applicants also must have appropriate opportunities to seek redress.
IDENT, the DHS biometric storage and matching service, represents a good example of common applications across multiple credentialing programs, Walther said. TSA, Coast Guard, US Customs and Border Protection (CBP) and others can turn to the same enterprise service to verify biometrics like fingerprints from one uniform source.
In the future, DHS will look for more efficiencies and more opportunities to leverage such enterprise services, Walther said.
"This is an area where no one really cares until you screw up or until you make people wait too long," commented Monte Hawkins, at deputy group chief at the National Counterterrorism Center (NCTC).
A few of the challenges facing enterprise screening and credentialing systems throughout the government include too many redundancies and multiple screenings of the same traveler or applicant, said Hawkins, speaking at a forum sponsored by the Center for Strategic and International Studies in Washington, DC.
The intelligence community (IC) also must improve the collection of information to build up more biographic details, he said. Agencies could accomplish this perhaps through collection of more detailed information on applicants also thereby easing recurring vetting for periodic renewal of the benefits for trusted travelers or cleared personnel.
Hawkins also called for more automation in processing information.
"We have processes that have been in place now for a while that have been very manual" and thus very time consuming, Hawkins said. "You have to rely on automation to do this triage for you."
Hawkins recommended a reexamination of the overall screening architecture across agencies, calling for a structure similar to the National Targeting Center at the Department of Homeland Security (DHS) except at a higher, national level.
IC communications also remain very pocketed and segmented despite dramatic improvement over the last 10 years, Hawkins observed. Opening those communications up a bit more between agencies would allow authorities to "connect the dots" faster. And more interconnected communications would make it easier for agencies that engage in a lower priority screening, such as for benefits eligibility, to make faster and easier determinations.
Still, screening and credentialing has evolved to a point where authorities quickly and systematically can make use of information from intelligence and law enforcement databases, said Victoria Newhouse, deputy assistant administrator for risk-based security at the Transportation Security Administration (TSA).
For example, TSA fully implemented Secure Flight in late 2010 to do just that, Newhouse said. TSA matches traveler information against intelligence and law enforcement databases to quickly determine if a traveler poses a danger to aviation security.
Still, TSA would like to improve the speed with which it can verify the identities of passengers presenting identification cards or even those who lose their identification while on vacation, Newhouse commented.
TSA PreCheck represents the direction TSA is embracing with regard to applying different applications of screening to travelers, depending upon the perceived level or risk represented by individual air passengers, she continued. PreCheck does not involve less screening but rather more screening is done upfront, of biographical data for example, to determine if individuals should receive more or less scrutiny at airport checkpoints.
Boosting information collection and cooperation among agencies will be key drivers to successfully implementing risk-based security measures, Newhouse said. DHS agencies require more integration with partners outside the department and more harmonization within the department.
Kelli Ann Walther, senior director of the DHS Screening Coordination Office, said the department maintains a flexible screening and credentialing framework to accommodate 40 individual programs within the DHS screening portfolio.
Some screening programs require a robust background check while some are lighter, Walther noted, and appropriately so depending on the benefits derived from the screening outcome.
"That demonstrates that there isn't one solution for all screening and credentialing programs but really there are not 100 solutions either -- that's not the solution," Walther remarked.
By applying standards across newer agencies like TSA and older agencies like the US Coast Guard, DHS seeks to harmonize different approaches and multiple credentialing efforts to reduce redundant vetting, Walther said.
The department sets objectives to set up credentials for multiple purposes instead of a single use, to standardize vetting procedures, and to share vetting results across programs, Walther said. Applicants also must have appropriate opportunities to seek redress.
IDENT, the DHS biometric storage and matching service, represents a good example of common applications across multiple credentialing programs, Walther said. TSA, Coast Guard, US Customs and Border Protection (CBP) and others can turn to the same enterprise service to verify biometrics like fingerprints from one uniform source.
In the future, DHS will look for more efficiencies and more opportunities to leverage such enterprise services, Walther said.
HSToday.US: Plagues of Federal Cybersecurity
The Basics Still Plague Federal Cybersecurity
By: Dan Verton 12/05/2012 ( 7:30am)
The federal government faces a cybersecurity threat that is more capable and relentless than at any time in recent history. And yet, agencies responsible for operating high-security networks and data centers continue to struggle with passwords, physical security, access control and a host of other relatively basic security precautions.
Greg Wilshusen, director of Information Security Issues at the Government Accountability Office (GAO), the investigative arm of Congress, told a gathering of federal and industry security officials on Dec. 3 that the number of security incidents reported to the US Computer Emergency Readiness Team (US-CERT) is on course to surpass 48,000 in 2012 – a 782 percent increase since 2006.
And that could spell real trouble this year for federal network security, especially because of the basic security weaknesses identified by GAO during multiple agency audits last year. For example, Wilshusen, who spoke at the Government Technology Research Alliance (GTRA) forum on government security, said every one of the top 24 federal agencies had weaknesses in basic access controls.
“This is the area where we find most of the computer system vulnerabilities,” said Wilshusen. “These are controls that relate to protecting an organization’s boundaries, [and] also include those procedures that agencies have to identify and authenticate the identity of their users and the devices that connect to their systems, use of encryption and physical security to control physical access to the data facilities and information resources.”
In addition, GAO last year regularly uncovered significant problems with other basic security precautions, such as passwords, physical security control and outdated user accounts that had not been deleted.
Passwords used by agency employees were often found to be “relatively easy to crack,” Wilshusen stressed. And, surprisingly, those employees found to have the least secure passwords were often the system administrators, he added. More troubling, however, was the large number of old user accounts and default accounts that remained accessible.
“Agencies also often do not change or delete vendor supplied passwords and IDs,” Wilshusen said, referring to the default accounts that often ship with new computers and operating systems. Likewise, GAO investigators often found “hundreds and sometimes thousands” of instances where training accounts or accounts belonging to former employees had not been deleted.
But even the users who had legitimate access to systems often had too much access, said Wilshusen. Referring to the so-called “principle of least privilege,” where users are given only the access they require to do their jobs effectively, Wilshusen said GAO investigators “often find instances, particularly in databases, where users are given access to all of the data to either write, read or update the data when generally they don’t need that level of access.”
Other weaknesses in basic security procedures that GAO encountered regularly last year include:
- Insufficient access controls for firewalls, switches, and routers;
- Agencies are slow to deploy the infrastructure to support logical access control devices, such as Common Access Cards and the Personal Identity Verification (PIV) card;
- Monitoring system configurations and the assets on the network still is not being done on a regular basis; and
- Inadequate physical security at highly-secure data centers (e.g. doors propped open with chairs so employees can take smoke breaks, and guards who did not check credentials properly).
But Ron Ross, a senior computer scientist and fellow at the National Institute of Standards and Technology (NIST), pointed to other basic precautions and policies that have been stymied by a combination of cultural impediments and the vast, complex federal IT architecture.
“There’s a new saying that the offense should be informing the defense,” said Ross. “But yet we find out that a lot of our CISOs and CIOs don’t even have [top secret compartmented] security clearances. So, how can you be informed of what the threat can do if you can’t even get the information that allows you to understand what that threat looks like? It’s a very serious problem.”
In January, NIST will release revision 4 of its Special Publication 800-53, Recommended Security Controls for Federal Information Systems and Organizations. “And there’s going to be a lot of gnashing of teeth when you see the number of controls and enhancements being added,” said Ross. The new version adds about 250 new controls, moving the total number from 600 to 850.
One such new control that will be added is firmware integrity. “The adversary is down at the firmware level now and probably even the hardware in some cases,” warned Ross. “Firmware integrity is critical. The adversary has demonstrated the capability to get into that firmware.”
But while hackers have demonstrated the ability to attack federal networks in more complex and sophisticated ways, federal security professionals have been unable to keep up with the challenges posed by complexity, said Ross. Because of the complexity of federal network architectures, “we ask our CISOs and CIOs to defend systems that are largely indefensible,” he explained.
Complexity, he said, “is ground zero of our problems today.”
Grant Opportunity: U.S. EPA. $60,000 in EPA Grants Awarded to Calif. University Groups
$60,000 in EPA Grants Awarded to Calif. University Groups
Funding for Sustainable Technology Design, Development Projects
SAN FRANCISCO – The U.S. Environmental Protection Agency today awarded $60,000 in grants to four California university student teams as part of phase 1 of EPA’s annual People, Prosperity and the Planet (P3) annual student competition for the design and development of sustainable technologies.
In total, EPA awarded $675,000 for 45 grants nationally, valued at $15,000 each, as part of phase 1 of the competition, and student groups will now begin the implementation of the design of their proposed technology.
“EPA is proud to support some of California’s best student innovators working to improve the environmental conditions and the standard of living of individuals in the U.S. and around the world,” said Jared Blumenfeld, EPA’s Regional Administrator for the Pacific Southwest. “The ideas and projects spurred by these grants will help achieve lasting positive change for future generations.”
This year’s California award winners:
- University of California, Riverside, “Pasteurization Using a Lens and Solar Energy (PULSE) Method”: Project will create a solar disinfection technology device for use developing countries that will speed up the rate of water pasteurization.
- San Jose State University, “3D Printing Sustainable Building Components for Facades and as Window Elements”: Project entails researching sustainable, inexpensive, and recyclable building components for facades and windows using design methods appropriate for 3D printing technology.
- Stanford University, “Community-Level Water Disinfection Technology for Dhaka, Bangladesh Treatment”: Students will develop a low-cost chlorination device that will disinfect drinking water without relying on electricity or moving parts. Each chlorinator will provide safe drinking water to approximately 10-50 Bangladeshi households.
- California State Polytechnic University, Pomona, “Capturing CO2 with MgO Aerogels”: Students will determine whether it is practical and economically feasible to use Magnesium Oxide (MgO) aerogels to capture carbon dioxide in chemical and power plants.
After eight months of work on their projects, the phase 1 grant recipients will bring their designs to Washington, D.C. to participate in EPA’s National Sustainable Design Expo. During the event, a panel of scientific experts judges the projects. Winners receive a P3 award and recommendation for a second phase grant of up to $90,000 to further develop their designs and prepare them for the marketplace.
The 9th Annual National Sustainable Design Expo featuring EPA’s P3 competition is scheduled for April 20-21, 2013, on the National Mall in Washington, D.C. The expo is open to the public and will display the 2012 P3 teams’ designs.
EPA is currently accepting applications for P3 awards for the 2013-2014 academic year through Dec. 11, 2012.
More information on the P3 2012 recipients: http://www.epa.gov/p3/2012recipients
The 9th Annual National Sustainable Design Expo featuring EPA’s P3 competition is scheduled for April 20-21, 2013, on the National Mall in Washington, D.C. The expo is open to the public and will display the 2012 P3 teams’ designs.
EPA is currently accepting applications for P3 awards for the 2013-2014 academic year through Dec. 11, 2012.
More information on the P3 2012 recipients: http://www.epa.gov/p3/2012recipients
More information on past P3 winners: http://www.epa.gov/p3/multimedia/index.html
###
U.S. DHHS. Office of Minority Health. Resources..Money & More
|