OMB to reduce federal gateways

Plan to boost security could create shared services for connectivity

IN AN AMBITIOUS PLAN TO reduce federal networks' exposure to hackers, the Office of Management and Budget wants to cut to 50 the total number of external connectivity points ' including Internet connections ' for all federal agencies.

OMB's new initiative, called Trusted Internet Connections, requires agencies to develop a plan of action by Jan. 8 for reducing the number of connection points they maintain to the Internet. Agencies must consolidate the number of external gateways to a handful each, perhaps by setting up shared-service centers with other agencies. A gateway, or Internet point of presence, is a physical location with servers, routers and switches through which a network connects to the Internet.

The consolidation must be complete by June. The Homeland Security Department's National Cyber Security Division will oversee the initiative.

A Nov. 20 memo from OMB Deputy Director for Management Clay Johnson introduced TIC. A governmentwide meeting in Washington followed Nov. 30, at which Karen Evans, OMB's administrator for e-government and information technology, detailed the plans.

Today, agencies have more than 1,000 external connections to the Internet not counting those maintained by contractors, Evans said at the meeting, according to a government official who attended but did not wish to be identified. Each point of presence will be monitored by multiple security applications and appliances, such as the U.S. Computer Emergency Readiness Team's Einstein Monitoring Program. OMB wants agencies to strongly consider using GSA's Networx telecommunications contract to comply with TIC.

'This is an essential step because Federal Information Security Management Act-based defenses have failed to stop the attackers,' said Alan Paller, director of research at the SANS Institute.

'Once they are inside, only very sophisticated monitoring can hope to find the infections.'

Richard Burk, OMB's former chief architect and now a consultant, said reducing the number of Internet connections shouldn't be too difficult: The Defense Department and DHS have already made the move.

'I've been told that if the Pentagon can reduce the .mil domain to 18 connections and DHS can get down to two connections, it seems reasonable for the rest of government to consolidate,' Burk said. 'If that is the case, such consolidation would optimize the use of USCERT and the investment of $115 million into it. Internet connections are a commodity item which should be treated as a service and purchased as such.'

He added that agencies don't have enough trained staff to properly maintain the connections.

'There is no way each agency can operate its own at an adequate level.'

In any case, some experts say, complying with this plan will be a big job. The first step is to identify all the current external gateways, a task that by itself could be formidable. An agency's enterprise architecture will be crucial to consolidating the gateways, said Tony D'Agata, Sprint's vice president of federal government. The agencies must then work with their network providers and fellow agencies to re-engineer connections to meet the new architecture.

Industry observers have noted that some aspects of the plan will have to be developed along the way. One task is to design the networks so that they still offer connectivity during node outages.

When a portal for one region goes down, all agencies in that area using the portal will be without connectivity ' unless some sort of secondary connectivity is available.

Need to share

Roger Baker, former chief information officer at the Commerce Department and now chief executive officer at Dataline, said having a limited number of Internet connections will mean that agencies must become shared-service providers for field offices, which will add new levels of complexity.

For instance, if the agency in charge of one portal has a policy to cut off all external access when a breach occurs, will the connectivity for other agencies it supports at that location also be shut off? 'It will be hard for agencies to agree on a standard security policy for connections,' Baker said.

Nonetheless, OMB appears to be quite serious in moving this initiative forward.

'OMB sees this as a minimally disruptive initiative that has a huge ROI and is not interested in hearing excuses,' the government source said.

Joab Jackson contributed to this story.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above