Educause Security Discussion mailing list archives
Feedback About InfraGard
From: Rodney Petersen <rpetersen () EDUCAUSE EDU>
Date: Mon, 28 Oct 2002 12:47:42 -0500
A recent presentation at the EDUCAUSE2002 annual conference sponsored by the Security Task Force featured Dr. Phyllis Schneck, Chairman of the InfraGard National Executive Board. She indicated in her remarks that steps were underway to address concerns about the Secure Access Agreement that many cited as an impediment to joining InfraGard. Below is a message from Dr. Schneck announcing some proposed changes and requesting feedback. Please provide feedback to the addresses indicated in her message. Additionally, the Security Task Force is interested in learning more about your experiences with your local InfraGard chapters and whether it is a useful experience for IT security officers or other college or university personnel. Please post your experiences to this list focusing on the following: What is the most useful feature of InfraGard for college and university IT security personnel? What is the least useful feature of InfraGard? Should the Security Task Force promote college and university participation in InfraGard? Is there any feedback that we could share with Dr. Schneck and other InfraGard leadership to reinforce its effectiveness or improve its overall usefulness for higher education? Thank you for any insights that you can provide. Rodney Petersen Security Task Force Coordinator, EDUCAUSE -----Original Message----- From: Phyllis Schneck [mailto:phyllis.schneck () ecommsecurity com] Sent: Tuesday, October 22, 2002 5:17 PM To: 'infragard-official () listserv infragard org' Cc: 'don () thetrainingco com'; 'don.evans () usahq unitedspacealliance com' Subject: IMPORTANT - HELP US WITH MEMBERSHIP GUIDELINES FOR REPLACING THE SAA! All- Over the past two years, an overwhelming percentage of our members and potential members have asked that the existing "Secure Access Agreement" (SAA) be replaced with an agreement that is closer to that to which businesses are more familiar (such as an NDA-type agreement with some additional structure to specifically suit InfraGard). In addressing this concern, the IEB is working with the membership committee and the NIPC to expedite the production of an agreement that moves us forward. Steve Chabinksy, NIPC Counsel, poses the following suggestions (enclosed in text below this note) to us on guidelines regarding issues such as how is membership defined and what should determine access to InfraGard "secure" information. These are yours to adjust as you see appropriate. How would you modify these (for example, please note that one of the guidelines below mentions the SAA by name, and clearly if we are to make a change, that guideline would reflect the new agreement, making no mention of what we currently know as the SAA). Another example is do we want companies only for access to secure site - or do we want individual memberships? Do we want to create a framework to enable global information sharing in the future, thus striking the guideline barring non-citizens from membership? Please tell us! Please also note that it is up you, the InfraGard membership, to craft what you want our membership agreement to do for us, as our membership guidelines will shape your InfraGard for the future. Also, the results are in: Out of a total of 1773 votes received, 1642 members indicated that they would be in favor of background checks as a requirement for InfraGard membership, where all members would then have "Secure Access." 131 members voted against. This indicates that our membership would be in favor of backgrounding all members, thus providing all members secure site access. Therefore, a new agreement may need only contain standard non-disclosure provisions and some additional language to fit to our trusted partnership. Whatever we need, Steve can create. We need your help. Please gather input from your constituents and tell us what you would like to see! Don Evans (Houston - working with base of "SAA/membership" committee) and Don Withers (Maryland) will be collecting your input and submitting a summary of membership opinion to the IEB. The IEB will then work with Steve to create an agreement that reflects your comments. We are aiming to have this agreement ready for 2003. This is aggressive, but necessary. PLEASE DO NOT RESPOND TO THIS NOTE WITH QUESTIONS. ALL RESPONSES SHOULD BE IN THE FORM OF INPUT TO DON&DON - again addresses are: don () thetrainingco com and don.evans () usahq unitedspacealliance com. All comments must be received by Don Withers and Don Evans by November 10, 2002. Many thanks - this is a tremendous milestone. Steve Chabinsky's suggested draft membership guidelines follow. Phyllis Phyllis A. Schneck, Ph.D. Vice President, Enterprise Services, eCommSecurity, Inc. Chairman, FBI InfraGard National Executive Board 770-216-9990 x3016 _____ Draft General Guidelines for Permitting InfraGard Membership and Access to InfraGard Secure Information These general guidelines are for use by the FBI in determining whether to provide an InfraGard applicant with membership, and an InfraGard member with access to "Secure Information" as defined in the Secure Access Agreement. Secure Information generally refers to non-public information posted on the InfraGard secure webpage or disseminated through the InfraGard alert network. I. Overview A. The FBI generally will grant InfraGard membership and access to the InfraGard secure webpage and InfraGard web alerts (1) to any individual or entity who [has signed the most current version of the Membership Application and Secure Access Agreement], (2) after conducting a records check both on the corporate entity which is the InfraGard applicant and the individual who is the member's Designated Representative under the Secure Access Agreement. This holds true as well for persons lawfully in the United States who are not U.S. citizens, and foreign controlled corporations that are lawfully doing business in the United States. B. Consistent with the Secure Access Agreement, for specific law enforcement or national security purposes, the FBI, with the express written consent of the NIPC, may grant access to Secure Information to federal, state or local law enforcement and intelligence agencies that are not InfraGard members, and that have not signed the Secure Access Agreement. Under such circumstances, special attention must be paid to the public reporting obligations of those entities. C. The FBI generally will not grant membership and secure access to individuals or entities not residing or doing business in the United States. D. The FBI generally will not grant membership and secure access to any foreign government or its diplomatic mission in the United States. E. The FBI generally will not grant membership and access to individuals or entities if providing such information could pose a substantial risk to the protection of law enforcement or national security interests, including risks to the national infrastructure. The FBI, nonetheless, will grant membership and access in those cases where the fact of not doing so would be contrary to the FBI's law enforcement or intelligence objectives (for example, when refusing membership and access would have the detrimental effect of notifying the applicant of a sensitive, pending investigation). F. The FBI will deny membership and access only on a case-by-case basis. As a general matter, though, the FBI -- upon determination by the NIPC, FBIHQ - will not grant membership and access to individuals or entities who specifically are known to have, or are strongly suspected of having, engaged in [any felony? any felony within the past x years?] any of the following 10 categories of conduct: 1. Acts of foreign or domestic terrorism. This includes, by way of example, conduct in violation of: 18 U.S.C. 175 [biological weapons] 18 U.S.C. 792 - 797 [espionage] 18 U.S.C. 831 [nuclear materials] 18 U.S.C. 841 [explosive materials] 18 U.S.C. 871 - 880 [threats and extortion] 18 U.S.C. 1114 [murder of U.S. officer or employee] 18 U.S.C. 1116 [murder of foreign officials] 18 U.S.C. 1119 [foreign murder of U.S. nationals] 18 U.S.C. 1121 [murder of persons who are aiding investigations] 18 U.S.C. 2153 [sabotage] 18 U.S.C. 2331-2339B [terrorism] 49 U.S.C. 46502-46507 [hijacking aircraft] 2. Active membership in an organization that the applicant knows or should have known to sponsor terrorism, or prior membership in such an organization that raises significant concern about the applicant's current ability to protect and not misuse InfraGard information. 3. Acts constituting genocide or war crimes. 18 U.S.C. 1091 [genocide] 18 U.S.C. 2441 [war crimes] 4. Acts of unlawful use of computer(s), electronic data, voice mail, or telephone system(s). This includes, but is not limited to, conduct in violation of: 18 U.S.C. 875(c) [interstate threats] 18 U.S.C. 1029 [access devices] 18 U.S.C. 1030 [computer fraud and related activities] 18 U.S.C. 2511 [interception of communications] 18 U.S.C. 2512 [intercepting devices] 18 U.S.C. 2701 [computer intrusions] 47 U.S.C. 223(A) [harassing communications] 5. Active participation in an organization that the applicant knows or should have known to engage in, promote, or sponsor the unlawful use of computers, electronic data, voice mail or telephone systems; or prior active participation in such an organization that raises significant concern about the applicant's current ability to protect and not misuse InfraGard information. 6. Misuse of information, including the unauthorized disclosure of classified information. [18 U.S.C. 798] 7. Economic espionage. [18 U.S.C. 1831, 1832] 8. Information-gathering on behalf of foreign governments, terrorists, or others with purposes inconsistent with the protection of American national security. 9. Unlawful entry or residence in the United States. [18 U.S.C. 1423-1427] 10. Acts in breach of InfraGard's By-Laws or the InfraGard Secure Access Member Agreement. II. Records Checks A. In order for the FBI to grant membership to an InfraGard applicant, and to determine whether an individual or entity's access to secure InfraGard information might pose a substantial risk to the national security, for each applicant from their respective Local Chapters, the Field Offices will check the following with the applicant's consent: all FBI records, the National Crime Information Center (NCIC), and the List of Parties Excluded from Federal Procurement and Nonprocurement Programs (available online at <http://www.arnet.gov/epls/>). An applicant's refusal to provide sufficient identifying information about themselves and consent for the FBI to conduct the background check will be an automatic basis for denying membership and access to secure information. III. Procedures for Providing or Denying Access to Secure Information A. The FBI generally will not provide membership or secure access to an applicant without first conducting the records check described above. B. If an applicant fails or refuses to provide identifying information and consent sufficient for the FBI to conduct a records check, then the applicant's membership and access will be denied. If access is denied for this reason, the applicant generally will be given a second opportunity to provide the necessary information. It will be case specific whether the FBI can conduct an adequate records check without receiving all of the information requested on the Designated Representative Information sheet. C. No applicant will be denied membership or secure access, and no applicant will be informed that they might be denied membership or secure access, unless the following procedures are followed: 1. The Field Office must notify the NIPC immediately of any application where a records check indicates criminal activity or pending investigations of any type, and provide a recommendation to the NIPC about whether the applicant should be granted membership and access to InfraGard information. 2. If the NIPC concludes that membership and access should be denied, the NIPC must consult promptly with all interested FBI Divisions and Field Offices, or other agencies if appropriate, to determine whether an applicant (or its Designated Representative) may be told the general reason membership and access is being denied. If on national security or law enforcement grounds the applicant (or its Designated Representative) cannot be told the general reason for denial of membership or access, then membership and access will be granted. 3. By letter from the NIPC, the Field Office will be responsible for notifying an applicant whose membership and access is denied and will provide the Designated Representative who was the subject of the records check with the general grounds for that decision. 4. The applicant/Designated Representative will have an opportunity to provide to the NIPC a written challenge of any notice of denial. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/.
Current thread:
- Feedback About InfraGard Rodney Petersen (Oct 28)
- <Possible follow-ups>
- Re: Feedback About InfraGard Davis, Thomas R. (Nov 01)