|History of the Federal Computer Incident Response Capability (FedCIRC) Pilot||
|June 1996 through September 1998|
In April 1996 NIST proposed to the Government Information Technology Services Board (GITS) a government-wide computer security incident response capability. The capability would be administered by the National Institute of Standards and Technology (NIST) and operated by the Department of Energy's Computer Incident Advisory Capability (CIAC) and the CERT(SM) Coordination Center (CERT/CC). By utilizing two existing teams, CIAC and the CERT/CC, an immediate response capability would be provided. NIST's role was to facilitate incident handling for the federal agencies by providing standards, guidance, and mechanisms for sharing information.
The need for an incident handling capability that crossed agency boundaries had never been greater. Most federal agencies were connected to the Internet and exchanged information regularly. The number of Internet related incidents that occurred in 1995, along with the increase and complexity of threats, required agencies to take seriously their incident handling capabilities. The Office of Management and Budget emphasized this need in OMB Circular A-130, Appendix III, by requiring agencies to be able to respond in a manner that both protects their own information and helps to protect the information of others who might be affected by the incident. The private sector was undergoing the same rapid growth in network dependency as the Federal community and needed the same incident handling support. Several private sector organizations foresaw the need and began to offer incident handling services.
The Presidential Commission for Infrastructure Protection also saw the necessity for the Federal community to be able to deal effectively and efficiently with threats to their information technology. The Commission recommended the establishment of a capability that would coordinate with other Federal initiatives, when necessary, to analyze and resolve the threats to the critical information technology infrastructure.
On June 3, 1996, the GITS Innovation Fund Committee granted $2,796,000 to NIST to establish a Federal Computer Incident Response Capability (FedCIRC). The capability assisted Federal civilian agencies in their incident handling efforts by providing proactive and reactive computer security related services. FedCIRC combined the experience and expertise of NIST's Computer Security Division, CERT/CC, and CIAC to provide agencies with cost reimbursable, direct technical assistance and incident handling support.
During the FedCIRC pilot's short existence, much was accomplished towards realizing the FedCIRC mission. FedCIRC assisted in over eighteen hundred incidents which impacted thousands of sites world wide. FedCIRC devoted a significant portion of its two years to educating the federal community by holding twenty-two workshops/seminars on incident handling and incident prevention. The web site was accessed a half-million times. The site contained an interactive tools database and virus database as well as other relevant information and resources for incident handling. FedCIRC handled thousands of e-mail messages and hot-line calls requesting information and guidance.
In addition to the above activities, the energies and resources of the FedCIRC team were focused on informing potential clientele about the program and on obtaining funding for continued fiscal health. The two-fold problem of educating the consumer and soliciting sponsorship was costly and side-stepped the real FedCIRC emphasis of providing incident handling for the Federal civilian government.
FedCIRC revenue generation was built on a subscription model. The FedCIRC collaborators found, however, that a subscription model as a means of funding an incident response (IR) team was inappropriate and unworkable. Two points were clear from using this model to acquire funds for FedCIRC. The first point was that eighteen months (i.e., the initial and follow-on GITS funding) was too short a time to make FedCIRC self-supporting financially. The FedCIRC pilot demonstrated valuable output and assistance in the short time it was operational. FedCIRC garnered verbal support and enthusiasm for its program of work. FedCIRC could not, however, overcome fiscal bureaucracies, budget cycles, and shrinking dollars within such a short time frame. The second, and arguably the more important, point was the dichotomy which existed between the expectations of subscribers for special attention and the need of the electronic community for trouble-free networking. Most incidents involve multiple sites. FedCIRC assistance needed to be available to all Federal civilian agencies, not just available to subscribers.
In an ideal world, all agencies would help pay for FedCIRC support. Like a fire department that responds to any and all fires and not just to taxpayers' blazes, an IR team needs to help wherever problems exist, not merely to help with subscriber incidents. Incident response is not a stand-alone operation. While subscribers expected special attention, the reality of incident response required that FedCIRC help all organizations involved in an incident. Involving only the subscribers in attempting to resolve incidents likely meant FedCIRC could not reach the site the penetrator was using or get key information needed to understand how the intruder was breaking in or what new vulnerabilities were being exploited. A stable funding source was required to make FedCIRC a success. Again, the fire station model should be used: the station responds to all requests to put out fires (in a priority order based on need), not just to requests from those who have paid for fire protection.
In January 1998, the Chief Information Officer's (CIO) Council Security Committee began reviewing FedCIRC operations. The Committee agreed that FedCIRC services were needed for all Federal civilian agencies and requested that the General Services Administration become the manager of the initiative. Working closely with the GSA team, the FedCIRC pilot team of NIST, CERT/CC, and CIAC ensured that most of the services provided by the pilot would continue in the GSA/FedCIRC.
On October 1, 1998, the new GSA program became operational. The capability is available twenty-four hours a day, alerts are being issued, a web site is maintained, training courses are planned, and specific services (e.g., forensic support) can be procured through GSA.