GAO Faults 'Inconsistent' Online Security Programs

[InfoSec News <isn () c4i org>]

http://www.informationweek.com/story/showArticle.jhtml?articleID=17301563

By Eric Chabrow 
Jan. 15, 2004 

The federal government has spent about $1 billion on 89 public key
infrastructure programs among 20 major agencies in recent years, but
the results of those programs are mixed, according to a report issued
by the General Accounting Office.

PKI is a secure method for exchanging information within an
organization, within an industry, nationwide, or worldwide.

Implementing PKI poses a major challenge for agencies, Linda Koontz,
GAO's director of information management issues, wrote in a letter to
Reps. Tom Davis and Adam Putnam, who chair House panels with oversight
on governmental IT use. The letter was dated Dec. 15, but released
Thursday.

GAO, the investigative arm of Congress, identified four major
challenges:

* Policy and guidance. Both are lacking or ill-defined in a number of
  areas, including technical standards and legal issues.

* Funding. Besides the high costs associated with the technology, cost
  models are lacking, making accurate budgeting more difficult. In
  addition, costs are increased when systems must be designed to
  accommodate the uncertainty associated with undefined standards.

* Interoperability. Integrating PKI systems with others such as
  network, security, and operating systems often requires significant
  changes or even replacement of systems.

* Training and administration. Training is required for personnel to
  use and manage public key infrastructure, and basic PKI requirements
  and processes impose significant administrative burdens.

Still, the GAO notes, the governmentwide Federal Bridge Certification
Authority and Access Certificates for Electronic Services programs
continue to promote the adoption and implementation of PKI, though the
results of these programs have been inconsistent. The level of
participation in the certification authority, which provides a way to
link independent agency public key infrastructures into a broader
network, is the same as in 2001, the last time the GAO examined the
matter. Only four agencies are certified to operate through the
network. Additional agencies plan to participate in the future, as
well as nonfederal organizations, such as the state of Illinois, the
Canadian government, and educational consortiums, GAO says.

Similarly, the agency says, the electronic-services program, which
offers agencies various PKI services through the General Services
Administration, has garnered lower-than-expected participation among
federal agencies. GSA plans to revise the pricing structure associated
with the electronic-services program to improve participation levels.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.