Re: SECURITY Listserv Instructions and ParticipationGuidelines

[Rodney Petersen <Rodney () UMD EDU>]

Below is a clarification that I posted to the EDUCAUSE CIO Discussion
List in March and circulated elsewhere in response to confusion
surrounding the status of the "Safe Computing Environment" proposal.  I
have learned that elements of the research community are not eager to
support the addition of computer security to other compliance measures
already attached to receipt of federal funding.  However, I find them
sympathetic to concerns about improving IT security in the research
context.

I think the bill where you will find Senator Edwards language is S.1900
- a companion bill to S.1901 - that I cite below.  Note that it calls
for an "assessment of the advisability of a requirement".

-Rodney


Subject: Re: OMB Circular 102.600 -- Safe Computing Environment
Requirements for Fed Grants
Date:  Tue, 26 Mar 2002 10:01:35 -0700
From:  Rodney Petersen <rp72 () umail umd edu>
To: CIO () LISTSERV EDUCAUSE EDU

The EDUCAUSE Washington, D.C., office has confirmed with the Office of
Management and Budget (OMB) and the Council on Government Relations
(COGR) that the language contained in this message does not represent
an official change to Circular A-110.  OMB officials further confirm
that such language is not currently under consideration and regret that
someone originated a document in a format that appears as if it came
from OMB
and does not disassociate the proposal from official OMB processes.

Securing cyberspace and the information infrastructure has become a
critical concern for the federal government since 9/11.  Consequently,
there are numerous bills before Congress designed to improve IT security
within the federal government, and we can expect that higher education
will be called upon to do our part.   One example currently under
consideration is Senate Bill 1900 known as the "Cyberterrorism
Preparedness Act of 2002" that will establish a grant program "to
support the development of appropriate cybersecurity best practices . .
. [and] long-term cybersecurity research and development."   Section
2(g)(4)(A)(i) calls for "an assessment of the advisability of requiring
the contractors and grantees of the Federal Government to use
appropriate cybersecurity best practices."

EDUCAUSE recognized the significance of these issues when it established
a Computer and Network Security Task Force in July 2000.  The task force
is working closely with Internet2 and federal agencies to ensure that we
develop a thoughtful and measured response to the demand for better
security.  The identification and dissemination of "cybersecurity best
practices" is consistent with the mission of the task force.  However,
EDUCAUSE and the broader academic research community are not likely to
favor government imposed requirements or certifications.

If there are further reports of government regulation or legislation at
the State or federal level that will impact higher education and IT
security, I encourage you to bring those items to my attention
(rpetersen () educause edu) so the policy staff and task force can
intervene appropriately and communicate accurate, timely information to
our members.

Rodney Petersen
EDUCAUSE/University of Maryland

Randy Marchany wrote:
> There was some draft language that SANS put out for comment that would require
> adequate security procedures to be in place as a condition of the grant.
>
> Don't know what its status is nowadays.
>
>         Randy Marchany
>
> **********
> Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
> http://www.educause.edu/memdir/cg/cg.html.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/memdir/cg/cg.html.