FAA boosting info security

[InfoSec News <isn () C4I ORG>]

http://www.fcw.com/fcw/articles/2001/0108/web-faasec-01-11-01.asp

BY Paula Shaki Trimble
01/11/2001

Federal Aviation Administration officials are preparing to boost
information security to address vulnerabilities in a modernized air
traffic control system that is no longer isolated from other parts of
the agency, the FAAs chief information officer said.

The agencys lack of information security policies, actions and
training were recently criticized in audits by the General Accounting
Office and by the Transportation Departments inspector general.

The FAA is updating its plans for information security with new
procedures, training and a new information systems security
architecture document, said Daniel Mehan, the FAAs assistant
administrator for information services and chief information officer.
He spoke during a session on critical infrastructure protection during
a Transportation Research Board meeting Jan. 8 in Washington, D.C.

The agency is building on the creation of its Office of Information
Systems Security last spring and is implementing programs to carry out
evaluations and certifications of FAA personnel procedures, systems
and facilities.

"All new [national airspace] systems must have a certification and
authorization package," Mehan said. In addition, all legacy
information systems will have the certification by May 2003, when all
agencies are required to have assessed and corrected the security
vulnerabilities of critical systems, he said.

Three people must approve each new IT system: the system developer,
the CIO and the person responsible for deploying the system, Mehan
said.

The information systems security architecture, which is in its early
version, will describe how information security needs to evolve with
the modernization of the National Airspace System from 2003 to 2010,
he said.

During that time, the FAA will replace many key air traffic control
systems and change to satellite navigation. The agency also will
replace the telecommunications infrastructure that carries air traffic
and administrative data.

Mehan said that in 2001, the FAA plans to:

* Issue policy directives on Web sites and remote devices.

* Improve security protection on new telecommunications acquisitions.

* Expand the information systems security architecture to cover
  non-National Airspace systems.

* Create the Computer Security Incident Response center.

* Add more certification requirements.

The creation of a performance-based air traffic organization, ordered
by President Clinton in December, to manage the acquisition and
implementation of new systems and technology also may help increase
information security, Mehan said.

"We could use the advisory boards and oversight groups to help us with
our interface to Congress and other agencies," he said. "It may
actually be more effective at getting the resources we need to get
this done."

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".