DOE sets security course
DOE sets security course
Department will allot $80 million to bolstering data controls
CIO John Gilligan will spearhead the effort.
By Frank Tiboni
The Energy Department will spend $80 million over the next two years to create a security net for its systems, chief information officer John Gilligan said of the cybersecurity plan he will roll out departmentwide next month.
The four-point plan calls for sweeping changes in how the department protects its data re-sources, Gilligan said. He said the plan's four areas address policy, personnel, operational and technical requirements. He submitted the plan to Energy senior management late last month and got the green light to begin work immediately.
To make sure that new security initiatives take hold beyond department headquarters, Gilligan has asked field sites to designate CIOs or equivalent officials as lead security officers.
The obvious first step is awareness, Gilligan said, so a major component of the plan is training and education. The department will begin a two-year, $2 million multimedia program right away, he said.
Secretary Bill Richardson initiated several security re-forms in the wake of the Los Alamos espionage scandal, including giving computer security oversight to Gilligan [GCN,
May 24, Page 1].
A central component of Richardson's reform package directs Gilligan to improve the security of information that is stored, processed or transmitted by Energy systems.
The reforms also realigned the CIO's office under the new Office of Security and Emergency Operations, which is headed by former Air Force Gen. Eugene E. Habiger [GCN,
June 28, Page 1].
The 47-page systems security plan'which Gilligan's staff had been working on since mid-May with help from Booz, Allen & Hamilton Inc. of McLean, Va., Electronic Data Systems Corp. and Mitre Corp. of Bedford, Mass.'details ongoing and planned activities. Gilligan said the department will use it as a cybersecurity road map for the next five years.
'It's a sound plan that's comprehensive, addresses needs and is doable,' he said. 'It will clearly allow us to achieve a significant improvement in computer security in the next two years.'
Gilligan said he will coordinate the execution of the plan through the department's Field Management Council.
During Phase 1, which takes place from October through December, more than 1,000 systems administrators and managers at the department's national laboratories will undergo training in network security, system-specific configuration planning, Web server security, mail server security and cybersecurity policies for managers.
Following up on that initial training, Energy will broaden its program to ensure that appropriate training is given to all DOE personnel and contractors within the next two years. The training will cover the security requirements for all systems'those that handle classified information as well as those that handle unclassified data.
Gilligan said another effort will be to improve security operations in the department. Energy will spend $45 million of the $80 million it is setting aside for systems security through fiscal 2001 on bolstering program management, monitoring ability and protection know-how.
As part of this effort, Energy will expand the staff of its Computer Incident Advisory Capability at the Lawrence Livermore National Laboratory in Livermore, Calif., from seven to 25 people over the next year.
CIAC will be Energy's first line of defense. It will spearhead intrusion assessment, warning and response, and the day-to-day monitoring of department systems and networks, Gilligan said.