Computer System Security and Privacy Advisory Board Resolution 98-1 March 5, 1998 The Computer System Security and Privacy Advisory Board (CSSPAB) commends the members of the Chief Information Officers (CIO) Council for their increased focus on computer security and privacy in the federal government and formation of the Security Subcommittee. The CSSPAB also acknowledges the initial efforts of the CIO Security Subcommittee, specifically its statement of support for a Federal Computer Incident Response Capability (FedCIRC)-like emergency response capability program for the civilian government agencies. We agree with the CIO Security Subcommittee on the need for a central coordination point and provider of core support services. This tracks the recommendations and directions following on from the October 1997 President's Commission on Critical Infrastructure Protection (PCCIP) Report for leadership by selected agencies. Therefore, the Board * recommends that the National Institute of Standards and Technology (NIST), which has already established resources and expertise in FedCIRC capabilities and performs a non-law enforcement role, continue as the provider of these core services for centrally provided emergency response capabilities. Such core services should include collection and tracking of vulnerabilities, incidents, advisories, and awareness/training materials, and program coordination between the civil agencies, government and commercial providers. NIST is the appropriate coordinating agency due to its blend of independence, credibility, and knowledge; reputation for neutrality; expertise in cross-government facilitation; expertise in standards and guidelines; and its legislated responsibilities related to security of non-classified federal information. * encourages the inclusion of a training component on incident handling and prevention in addition to the other core services within the emergency response capability consistent with the requirements of OMB Circular A-130, Appendix III. Without an understanding of the processes for avoiding incidents, minimizing impact, recovering from incidents and handling of forensic evidence, the agencies may exacerbate the damage to the federal government. To centralize the awareness and training materials, avoid duplication of effort and reduce the cost of government, NIST is well positioned to provide central support and coordination of this critical component. For: Burns, Fisher, Leo, Sanovic, Spix, Trubow, Vetter, Wade Against: None Abstain: None Absent: Davis, Parker, Weingarten [present for meeting but not available for vote]