To ensure that the nation’s systems are safe from cyberterrorism, the
administration will demand detailed security plans from eight more agencies.

It expects plans next month from 14 agencies for the infrastructure protection effort.

The administration last week unveiled its plan to require additional agency
participation. Government officials talked about the project at a computer security
seminar sponsored by the General Services Administration and the Chief Information Officer
Council’s Security Committee.

The additional agencies will get formal notice in a few weeks from Richard Clarke, the
national coordinator for security, critical infrastructure and counterterrorism, said
Thomas R. Burke, GSA’s chief infrastructure assurance officer.

“As the president has directed, the federal government should be the model. Right
now we are a model. We’re a model of what not to do,” Clarke said.

The additional agencies, known as Tier 2 agencies, join the 14 Tier 1 agencies that the
White House already assigned responsibilities.

Tier 1 agencies must complete vulnerability surveys by next month; Tier 2 agencies have
until February to do their vulnerability surveys, Burke said.

Delineating Tier 1 and Tier 2 agencies means that remaining agencies will not be
required to detail their security plans under Presidential Decision Directive 63.

The directive previously was viewed as a governmentwide mandate. “There was some
confusion among agencies about which ones were covered,” said Jeffrey Hunker,
director of the administration’s Critical Infrastructure Assurance Office. By
identifying the Tier 1 and Tier 2 agencies, CIAO can focus on the most critical agencies,
he said.

“We are encouraging those agencies [not identified] to take the same
actions—to develop their plans,” Hunker said. “We’re not requiring
them to do it.”

At the seminar last week, Clarke made a dramatic call for agencies to act. “I know
none of you need additional work, especially work that might highlight your
vulnerabilities,” he said. “But you’re being asked to define the
defenses—the defenses against the next war.”

CIAO, the organization that is responsible for implementing a plan to protect the
nation’s critical infrastructures, has made a dozen agencies responsible for specific
areas. The Treasury Department, for example, is working with the banking and finance
community to ensure that they have a plan to deal with cyberattacks.

Burke said GSA and CIAO are assembling a team of security experts to help agencies
formulate security plans. The team will include government security experts on loan from
their agencies for at least 120 days, he said.

GSA is also in the final stages of developing a basic security plan and vulnerability
assessment to help agencies, Burke said. Agencies should use existing documentation for
their plans such as internal and General Accounting Office audits, he said.

Hunker also suggested that agencies use knowledge gained from their year 2000 work to
build security plans. For instance, agencies have inventoried their mission-critical
systems, he said.