Search Options
Index | Site Map | FAQ | Facility Info | Reading Rm | New | Help | Glossary | Contact Us

POLICY ISSUE
(INFORMATION)

SECY-00-0088

April 14, 2000

• PURPOSE:
• BACKGROUND:
• DISCUSSION:

PURPOSE:

To inform the Commission of the National Plan for Information Systems Protection

BACKGROUND:

President Clinton recently released the National Plan for Information Systems Protection, Version 1.0. It is the first major element of a more comprehensive effort to protect critical information systems from cyber-attack. The plan responds to Presidential Directive 63 (PDD-63) which directed its development.

DISCUSSION:

The National Plan for Information Systems Protection largely focuses on domestic efforts being undertaken by the Federal Government to protect the Nation's critical cyber-based infrastructures. The plan represents the starting point for discussions with private sector owners and operators of critical infrastructures, and other interested parties. The purpose of these discussions is to refine the plan so that together the public and private sectors can overcome the unique challenge to our national security that the Federal Government cannot meet alone.

The plan is built around three major objectives:

1. Prepare and Prevent: Those steps necessary to minimize the possibility of a significant and successful attack on the nation's critical information networks, and build an infrastructure that remains effective in the face of such attacks.
   
   
2. Detect and Respond: Those actions required to identify and assess an attack in a timely way, and then to contain the attack, quickly recover from it, and reconstitute affected systems.
   
   
3. Build Strong Foundations: The things we must do as a nation to create and nourish the people, organizations, laws and traditions which will make us better to prepare and prevent, detect and respond to attacks on the nation's critical information networks.

The plan proposes ten programs for achieving these objectives. They are attached for your information.

Attachment: As stated

ATTACHMENT

National Plan Information Systems Protection Programs

"First, know thyself."

The First Program is for Government and the Private sector to identify significant assets, interdependencies, and vulnerabilities of critical information networks to attack, then develop and implement realistic programs to remedy the vulnerabilities, while continuously updating the assessment and remediation effort.

"Today, we don't even know when we are being attacked."

The Second Program installs multi-layered protection on sensitive computer systems, including advanced firewalls, intrusion detection monitors, anomalous behavior identifiers, enterprise-wide management systems, and malicious code scanners. To protect critical Federal systems, computer security operations centers (first in DOD, then the Federal Intrusion Detection Network [FID Net] in coordination with other Federal Agencies) will receive warnings from these detection devices, as well as Computer Emergency Response Teams (CERTs) and other means, in order to analyze the attacks and assist sites in defeating attacks.

"People form governments to defend themselves from foreign enemies and domestic criminals."

The Third Program assists, transforms, and strengthens U.S. law enforcement and intelligence agencies to be able to deal with a new kind of threat and a new kind of criminal, one that acts against computer networks.

"An attack on one shall be considered an attack on all."

The Fourth Program is to improve Federal information sharing by encouraging the establishment of state and Federal information sharing and analysis centers and to remove barriers to information sharing so companies who wish to share system vulnerabilities with the government would not be deterred because information disclosed to the government could be subject to public disclosure.

"...isolate and minimize damage....restore required capabilities rapidly"

The Fifth Program is to limit an attack while it is underway and to build into corporate and agency continuity and recovery plans the ability to deal with information attacks.

"Information Technology is progressing at the speed of Internet years, four for every calendar year."

The Sixth Program systematically establishes research requirements and priorities needed to implement the plan, ensures their funding, and creates a system to ensure that our information security technology stays abreast with changes in the threat and in overall information systems.

"We just don't have the trained people."

The Seventh Program surveys the numbers of people and the skills required for information security specialists within the Federal Government and nationwide, and takes action to train current Federal IT workers and recruit and educate additional personnel to meet shortfalls.

"Action follows understanding."

The Eighth Program will explain publicity the need to act now, before a catastrophic event, to improve our ability to defend against deliberate cyber attack.

"Just as the Government must form a partnership with private industry, the Executive Branch and Congress must work closely together to defend our Nation's critical infrastructures."

The Ninth Program develops the legislative framework necessary to support initiatives proposed in other programs. This action requires intense cooperation between the Federal Government, including Congress, and private industry.

"...the right of the people to be secure in their persons, houses, papers, and effects..."

The Tenth Program is incorporated in every other program and is making what we do in the protection of critical cyber systems conform to Constitutional and other legal rights.