GSA kicks off effort for intrusion detection service

GSA kicks off effort for intrusion detection service

By Christopher J. Dorobek

GCN Staff

The General Services Administration figures that commercial intrusion detection tools might be vigorous enough for use in a governmentwide program.

In a draft request for proposals for the Federal Intrusion Detection Network, GSA said this month it might favor use of commercial components over development of a custom FIDnet.

In its FIDnet solicitation, the General Services Administration details a plan for dealing with suspicious traffic on federal networks.

'We no longer have to develop' a custom system, said Darwyn Banks, GSA's FIDnet program manager.

One benefit of this approach is a different funding method, GSA officials said. The agency could set up FIDnet as a fee-for-service program, bypassing the sometimes unwieldy budget appropriations process, officials said. Appropriations could subsidize intrusion detection systems for small agencies that do not have the resources larger agencies do, they said.

GSA initially estimated that development and start-up costs for FIDnet would be in the $10 million range. But GSA officials said the figure is obsolete now because of the possibility of using off-the-shelf components.

Initially, when GSA and security officials from other agencies conceived of FIDnet as a federal cyber-burglar alarm, they suggested that the government would need to build from scratch a system to monitor traffic on government networks [GCN, Oct. 25, 1999, Page 9].

But in just a few short months, many of the types of tools that GSA wants to incorporate in FIDnet have become available in the commercial information technology market, Banks said. 'These services are now being offered in the dot-com domain,' he said. 'We can piggyback on that.'

Right on track

The draft RFP describes FIDnet as a system in which one or more vendors would monitor the tracking system and feed information to the FIDnet program office.

Although GSA expects to consider a commercial approach, Banks said, the agency has made no final decision about FIDnet's ultimate design. One of the aims of the draft solicitation is to determine what approach makes sense, technically and economically, he said.

The draft RFP, posted on the Web at, describes FIDnet as a mixture of hardware, software and services to receive and analyze threat notifications from participating agencies' individual intrusion detection systems.

The system would analyze data collected from the agencies' intrusion detection systems to provide information on improving cybersecurity.

GSA will accept comments on the draft RFP until Friday. The agency expects to release the final RFP in fiscal 2001, but GSA officials would not say when the agency plans to award a contract.

FIDnet's 'purpose is to enhance the civilian federal government's overall information security posture with respect to computer intrusions,' the draft RFP stated.

When an event is identified, FIDnet will share information about the event with the network's subscribers. The details supplied by FIDnet, for example, might include procedures for blocking a repeat of the system breach on other agencies' systems.

The draft describes a multisystem, multiagency program that would let participating agencies recognize and respond to common attacks.

GSA would require vendors to develop a method of gathering information from agencies' intrusion detection systems, analyzing it and distributing that analysis back to agencies.

What to expect

The RFP says GSA would expect FIDnet contractors to alert subscribers within 15 minutes of identifying an attack.

The draft also addressed privacy, an issue that has dogged FIDnet. Privacy advocates voiced concerns that FIDnet would monitor private Internet traffic [GCN, Aug. 2, 1999, Page 3].

To assuage these concerns, GSA circulated the draft RFP among privacy groups and sent a copy to the White House's privacy counsel before releasing it publicly.

The draft RFP reiterated that FIDnet would analyze data collected by agencies about their systems. If the initial GSA analysis suggests a need for additional investigation, the FIDnet team would forward the alarm indications and audit logs to the Analysis and Warning Division of the FBI's National Infrastructure Protection Center.

If NIPC suspects criminal activity, the FBI could obtain the necessary court orders and then forward the data to NIPC's Computer Crimes Section for investigation and possible prosecution.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.