FedCIRC Pilot Goes Operational

GSA Now Manager of FedCIRC

The General Services Administration (GSA) became the manager of the FedCIRC initiative on October 1, 1998. Working closely with the GSA team, the FedCIRC pilot team of NIST, CERT/CC and CIAC have ensured that most of the services provided by the pilot will continue into the GSA/FedCIRC. The capability is available twenty-four hours a day, alerts are being issued, a web site is maintained, training courses are planned, and specific services (e.g., forensic support) can be procured through GSA. GSA selected the CERT/CC of the Software Engineering Institute at the Carnegie Mellon University as the operational core of FedCIRC. CERT/CC is globally respected as one of the leaders in information technology incident handling and recovery operations. The Chief Information Officer's (CIO) Council requested that GSA become the manager of the FedCIRC initiative. For the past two years, the National Institute of Standards and Technology (NIST) has successfully operated FedCIRC along with the outstanding operational support of CIAC and CERT/CC. The new FedCIRC provides containment and recovery assistance to agencies and departments of the Federal government when faced with information technology security related events such as computer viruses, unauthorized intrusion, misuse, or technical malfunctions.

(FedCIRC is the focal point of a collaborative partnership of Federal Civilian Agencies, the Department of Defense, Law Enforcement, and Academia. In its July announcement of the selection of the CERT/CC as FedCIRC's operational arm, GSA said "the purpose of the partnership is to protect information and components of the nation's critical information infrastructure. Toward this end, the FedCIRC is building a close working relationship with the National Infrastructure Protection Center (NIPC) which has responsibility for detecting, deterring, assessing, warning of, investigating, and responding to attacks on the critical infrastructures of the United States."

The new FedCIRC team can be reached at:

URL: www.fedcirc.gov

E-mail: fedcirc@fedcirc.gov and fedcirc-info@fedcirc.gov

Operations: 1-888-282-0870

Management Center: 202-708-5060

Kudos to Subscribers

Special recognition goes to the six subscribers to the FedCIRC pilot: Bureau of Alcohol, Tobacco and Firearms; Federal Supply Service of the General Services Administration; National Finance Center of the Department of Agriculture); Department of Justice; Department of State; and U.S. Customs Service. In particular, thanks to Archie Bertrand (NFC/USDA), John Feldman (State), Ken Grossman (FSS/GSA), Edward Keefe (Customs), Vicki Lord (DOJ), and Carol Widmayer (ATF) for the confidence they placed in FedCIRC and the financial support their organizations provided. This support was instrumental in securing FedCIRC's evolution from pilot to operational program.

Lessons Learned from FedCIRC Pilot

In less than two years, the Federal Computer Incident Response Capability (FedCIRC), initially a Government Information Technology Services (GITS) Board pilot project, demonstrated the need for coordinated incident handling government-wide and the success of a virtual team approach. Formally announced in October 1996, FedCIRC became an operational program administered by the Office of Information Security of the General Services Administration on October 1, 1998.

The GITS Board sponsored the FedCIRC pilot for 18 months and six Federal organizations subscribed to the FedCIRC services during the pilot experience. This article is extracted from a paper written by Fran Nielsen and Marianne Swanson, which describes the pilot and the lessons learned from it. Fran Nielsen presented the paper at the recent System Administration, Networking and Security (SANS) Conference in Orlando.

BACKGROUND

The need for an incident handling capability that crosses Federal government agency and organizational boundaries has never been greater. Both in the private and public sectors, organizations are becoming more dependent on information technology (IT).

Diverse sources, from the General Accounting Office to congressional hearings to the Presidential Commission on Critical Infrastructure Protection, describe the insecurity of Federal Government information technology (IT) infrastructures as illustrated by the dramatic increase in electronic break-ins in the public and private sectors. The Department of Defense alone had 250,000 hacker attempts on its computer systems last year. At a recent Chief Executive Officer's conference, attendees were told that government and corporate computer break-ins by hackers is a $10 billion-a-year problem.

The FedCIRC pilot was designed to address the near- and long-term incident handling needs of the Federal civilian community, by providing incident handling services to civilian agencies and by building agency competence and self-reliance in incident handling. The military incident handling coordination service is provided by the Department of Defense's ASSIST team and numerous industry teams serve private sector constituencies.

The use of information technology is integral to President Clinton's plan of re-engineering the Federal Government to make its services more accessible, more efficient, and easier to use. In 1993, President Clinton formed the Information Infrastructure Task Force (IITF) to deploy the National Information Infrastructure and Vice President Gore established the Government Information Technology Services (GITS) working group under the IITF "to improve the application of information technology by government agencies." Established in fiscal year 1995, the GITS IT Innovation Fund provides "seed" money for innovative IT projects in the Federal community.

FEDCIRC SELECTED AS GITS PROJECT

Initially proposed to GITS in March of 1996, the idea to establish a government-wide Incident Response Capability (IRC) was not a new one; however, the National Institute of Standards and Technology's (NIST) proposal offered a rich blend of experiences and the promise of immediate incident response capabilities through the use of two existing, well-recognized teams, the Department of Energy's Computer Incident Advisory Capability (CIAC) and the CERT(SM) Coordination Center (CERT/CC). The proposal envisioned an IRC equivalent to the Department of Defense incident handling team, ASSIST, and recommended a close relationship between the IRC and ASSIST to ensure that all national systems had access to IRC support.

On June 3, 1996, GITS granted $2,796,000 to NIST to establish a Federal Computer Incident Response Capability (FedCIRC). The capability would assist Federal civilian agencies in their incident handling efforts by providing proactive and reactive computer security related services. By combining the experience and expertise of NIST's Computer Security Division, CERT/CC, and CIAC, FedCIRC could provide agencies with cost reimbursable, direct technical assistance and incident handling support. NIST planned to subcontract the operational incident handling capability to the CERT/CC and CIAC, keeping the responsibility for operational management and for facilitating the development of incident handling standards and guidelines by utilizing the vulnerability data collected by FedCIRC. NIST also planned to use vulnerability information in the analysis and testing of software and other products.

PILOT OBJECTIVES

The goal of the FedCIRC project was to develop a self-sustaining response capability that met the needs of the federal civilian agencies. To that end, the FedCIRC objectives included:

to respond effectively and in a timely manner to security incidents by analyzing the problem, determining the magnitude of the threat, providing technical assistance to identify and close vulnerabilities, notifying sites affected, and issuing advisories to warn of the problem and describe countermeasures;
to expand the limited coverage of existing agency computer response teams by providing coverage for a broader range of incident types and technologies;
to provide agencies with guidelines on implementing vulnerabilities "fixes" and other security controls;
to maintain a 24 hour, 7 days a week response service for emergencies and a "help desk" function for normal business hours;
to facilitate the interaction with law enforcement agencies in the reporting of security incidents involving violations of the law;
to assist federal law enforcement in evidence gathering, where appropriate;
to perform "tiger team" attacks and offer intrusion detection services;
to coordinate information sharing with other incident handling organizations, including the Forum of Incident Response and Security Teams (FIRST); to develop, distribute, and maintain publicly available security tools, incident handling tools, and data gathering and reporting tools;
to coordinate with vendors and Internet service providers to provide critical security patches and "work-arounds;"
to perform vulnerability analysis to identify a vulnerability's root cause in order to identify other potential problems before they occur; and
to keep the federal community aware of the current threats through education in current technology and associated threats, training for security and network administrators on security practices; and awareness through Web sites, ftp services, and guidance documents.

PILOT OPERATIONS

One of the most challenging aspects of FedCIRC was the need to quickly create a virtual, seamless organization that spanned the Nation and offered a focal point for incident response around the clock. NIST's role was the overall management of FedCIRC, while CERT and CIAC performed the more traditional operational roles. Prior to the start of the FedCIRC collaboration, each entity had its own operating procedures and methods of conducting business. To perform as a virtual coast-to-coast team, however, the three FedCIRC collaborators agreed to a set of common procedures for coordinated activities and NIST produced an Operations Manual to describe them.

During the pilot experience, the energies and resources of the FedCIRC team (NIST, FedCIRC-East (CERT/CC), and FedCIRC-West (CIAC)) focused on handling incidents, on educating agencies about the need for incident handling, and on soliciting sponsorship for the continuance of the project.

SUBSCRIBERS OF THE PILOT PROJECT

The funding model used for the FedCIRC pilot was subscription based. Three yearly subscription fees, paralleling three service levels, were offered: platinum ($250,000 per year), gold ($110,000 per year), and silver ($50,000 per year). The philosophy behind the use of subscription levels was that organizations needing more service (e.g., more hours of dedicated incident handling, assistance to develop an organic incident handling capability, evaluation of particular systems or subsystems) could acquire it, while agencies and organizations requiring less service or merely wishing back-up for "hard to handle" incidents could be covered at a reduced cost to them. Six organizations signed on as FedCIRC subscribers during its pilot phase and over three-quarters of a million dollars of subscription funds helped sponsor the FedCIRC pilot after the first year.

The subscribers of the FedCIRC pilot are to be applauded as part of the successful collaboration that demonstrated the feasibility of an incident handling capability crossing agency boundaries. The subscribers were the Bureau of Alcohol, Tobacco and Firearms; the Federal Supply Service of the General Services Administration; the National Finance Center of the Department of Agriculture; the Department of Justice; the Department of State; and the U.S. Customs Service. These organizations recognized the importance of incident response as an integral part of a good IT security program.

LESSONS LEARNED

Several key lessons were learned from the FedCIRC pilot and they are summarized in the points below.

A virtual team is viable. The virtual team approach works. Three diverse organizations agreed upon operating procedures and successfully performed as a cohesive team. Time and energy spent on establishing the team were critical to its smooth operation and success.
All incidents are not equal. Computer security incidents range in scope and size. The amount of effort to handle incidents varies with the complexity of the incident and with the number of sites affected. Because of this, it is very difficult to attach a cost per incident; however, for most organizations a cost-benefit must be shown prior to support for incident handling.
Customers remain unaware of the threat and its potential impact. A significant gap exists between those agencies aware of computer security issues and those that are unaware. Many agencies still have an attitude of "it couldn't happen here" or "it's not happening here." This lesson helped focus FedCIRC on the need for additional training for users, managers, and administrators of Federal IT systems.
Varying levels of security expertise exist. Agencies are at different stages along the continuum of information security expertise -- some agencies are newly connected, some agencies still cling to mainframe activities. Many agencies are just beginning to attack the security issue. Knowledge and skills of systems administrators range from novice to expert; however, in general, an overall lack of computer security expertise is evident.
The subscription model for supporting an incident response team is inappropriate and unworkable. Assistance must be available to all federal civilian agencies, not just available to subscribers; and, in an ideal world, all agencies would share the expense of such assistance. Like a fire department that responds to any and all fires, not merely those of taxpayers in good standing, an incident response team must help wherever problems exist, not merely help with subscriber incidents.
FedCIRC is needed. The Federal civilian community needs assistance and guidance now in handling computer security related incidents. And, a coordinated approach to incident handling is extremely preferable.

FUTURE

The FedCIRC pilot demonstrated the need for coordinated incident handling government-wide and the success of a virtual-team approach; however, the problem of obtaining continued and continuous funding using the subscription model remained problematical. The Chief Information Officers (CIO) Council championed the project and facilitated its transition from proof-of-concept to a mature information security service.

Under the auspices of the Office of Information Security at the General Services Administration, the new FedCIRC will continue to be a collaborative partnership of computer incident response and security professionals who work together to handle computer security incidents and to provide both proactive and reactive security services for the Federal government. While FedCIRC will not replace existing agency or organizational response teams, it will serve as the focal point for Federal civilian agencies when dealing with computer related security incidents.

NIST Incident Handling Project

Over the coming months, the National Institute of Standards and Technology (NIST) will continue to focus on incident handling by revising Special Publication 800-3, "Establishing a Computer Security Incident Response Capability (CSIRC)." Marianne Swanson and Fran Nielsen will use the experience of FedCIRC to provide more guidance to agencies that want to leverage existing resources to create a CSIRC. They will produce the revised document which will include policy and procedures for setting up an incident handling capability. The first draft of the revision is anticipated in February 1999.

Subscribers' Views

The transition of FedCIRC from a pilot to an operational program is the culmination of many months of collaborative efforts on the part of the FedCIRC team and its subscribers. By way of closure, the FedCIRC team asked subscribers to summarize their experience. Some subscribers were unavailable for comment; however, those who responded were enthusiastic in their praise of the pilot. For the ATF, Carol Widmayer commented that while the ATF was fortunate enough not to need direct incident support during the pilot phase, "we took full advantage of the FedCIRC workshops and seminars. Good security training is hard to find and training budgets are tight. We found the workshops and seminars provided valuable information for both protecting our systems and for investigating incidents." John Feldman, State Department, praised the pilot, saying "the FedCIRC training opportunities were terrific!" On behalf of the DOJ, Vicki Lord said, "The Department of Justice appreciated the opportunity to be a part of the FedCIRC pilot program. It was a valuable learning experience which has enabled the Department to develop and implement a more pro-active computer security program. The opportunities for training, information sharing, and assistance were excellent." Recalling one of the pilot's key objectives— to raise the awareness of the federal community to sound computer security practices— the FedCIRC pilot constituency indicates that this objective was most effectively met. Congratulations on the success of the FedCIRC pilot and best wishes for the future as FedCIRC goes operational!

Statistics from FedCIRC Pilot

The number of incidents handled has grown signficantly over the lifetime of the pilot. In addition, the methodology for collecting and reporting incident statistics evolved as the pilot matured. In the first year of the pilot, FedCIRC-east (CERT) and FedCIRC-west (CIAC) handled 244 incidents affecting thousands of sites. These incidents were broken down into various types and the ripple effect impacted thousands of sites. In 1997, eighty-four FedCIRC advisories were circulated. As of FY98, NASA's incident handling team, NASIRC, joined in the reporting mechanism and their incident statistics were incorporated into the overall number of .gov-related incidents handled by the three teams: FedCIRC-east (CERT), FedCIRC-west (CIAC) and NASIRC. For the first quarter, the number of incidents handled was 159 and the number of FedCIRC information requests was 63. In the first half of fiscal year 1998, the three teams responded to 442 .gov incidents; these incidents affected tens of thousands of sites. By the end of fiscal year 1998, the number of .gov-related incidents handled totalled 1,683 and 259 requests for information were answered by FedCIRC. One-hundred and eleven FedCIRC alerts were posted in FY98. The FedCIRC pilot web site was accessed nearly 370,000 times in FY98. During the pilot period, the FedCIRC team gave twenty-one seminars, trained thousands of Federal employees and their contractors, and visited scores of organizations to raise their awareness about the need for increased IT security measures, including incident response. NIST is in the process of analyzing the pilot's incident statistics. The analysis will consist of a break-down of these incidents into category, exploit used, and number of sites and hosts affected by the incident. When completed, this analysis will be posted on both the FedCIRC and the NIST websites: FedCIRC: www.fedcirc.gov NIST: csrc.nist.rip

Return to Previous Page

Return to Incident Handling Homepage

Return to CSRC Homepage Please send comments or suggestions to webmaster-csrc@nist.rip Last Modified: March 15, 2002.