|Reporting period: October 1996 - September,
FedCIRC Pilot Goes Operational
GSA Now Manager of FedCIRC
The General Services Administration (GSA) became the manager of the FedCIRC
initiative on October 1, 1998. Working closely with the GSA team, the FedCIRC
pilot team of NIST, CERT/CC and CIAC have ensured that most of the services
provided by the pilot will continue into the GSA/FedCIRC. The capability
is available twenty-four hours a day, alerts are being issued, a web site
is maintained, training courses are planned, and specific services (e.g.,
forensic support) can be procured through GSA. GSA selected the CERT/CC
of the Software Engineering Institute at the Carnegie Mellon University
as the operational core of FedCIRC. CERT/CC is globally respected as one
of the leaders in information technology incident handling and recovery
operations. The Chief Information Officer's (CIO) Council requested that
GSA become the manager of the FedCIRC initiative. For the past two years,
the National Institute of Standards and Technology (NIST) has successfully
operated FedCIRC along with the outstanding operational support of CIAC
and CERT/CC. The new FedCIRC provides containment and recovery assistance
to agencies and departments of the Federal government when faced with information
technology security related events such as computer viruses, unauthorized
intrusion, misuse, or technical malfunctions.
(FedCIRC is the focal point of a collaborative partnership of Federal
Civilian Agencies, the Department of Defense, Law Enforcement, and Academia.
In its July announcement of the selection of the CERT/CC as FedCIRC's operational
arm, GSA said "the purpose of the partnership is to protect information
and components of the nation's critical information infrastructure. Toward
this end, the FedCIRC is building a close working relationship with the
National Infrastructure Protection Center (NIPC) which has responsibility
for detecting, deterring, assessing, warning of, investigating, and responding
to attacks on the critical infrastructures of the United States."
Kudos to Subscribers
Special recognition goes to the six subscribers to the FedCIRC pilot: Bureau
of Alcohol, Tobacco and Firearms; Federal Supply Service of the General
Services Administration; National Finance Center of the Department of Agriculture);
Department of Justice; Department of State; and U.S. Customs Service. In
particular, thanks to Archie Bertrand (NFC/USDA), John Feldman (State),
Ken Grossman (FSS/GSA), Edward Keefe (Customs), Vicki Lord (DOJ), and Carol
Widmayer (ATF) for the confidence they placed in FedCIRC and the financial
support their organizations provided. This support was instrumental in
securing FedCIRC's evolution from pilot to operational program.
Lessons Learned from FedCIRC Pilot
In less than two years, the Federal Computer Incident Response Capability
(FedCIRC), initially a Government Information Technology Services (GITS)
Board pilot project, demonstrated the need for coordinated incident handling
government-wide and the success of a virtual team approach. Formally announced
in October 1996, FedCIRC became an operational program administered by
the Office of Information Security of the General Services Administration
on October 1, 1998.
The GITS Board sponsored the FedCIRC pilot for 18 months and six Federal
organizations subscribed to the FedCIRC services during the pilot experience.
This article is extracted from a paper written by Fran Nielsen and Marianne
Swanson, which describes the pilot and the lessons learned from it. Fran
Nielsen presented the paper at the recent System Administration, Networking
and Security (SANS) Conference in Orlando.
The need for an incident handling capability that crosses Federal government
agency and organizational boundaries has never been greater. Both in the
private and public sectors, organizations are becoming more dependent on
information technology (IT).
Diverse sources, from the General Accounting Office to congressional
hearings to the Presidential Commission on Critical Infrastructure Protection,
describe the insecurity of Federal Government information technology (IT)
infrastructures as illustrated by the dramatic increase in electronic break-ins
in the public and private sectors. The Department of Defense alone had
250,000 hacker attempts on its computer systems last year. At a recent
Chief Executive Officer's conference, attendees were told that government
and corporate computer break-ins by hackers is a $10 billion-a-year problem.
The FedCIRC pilot was designed to address the near- and long-term incident
handling needs of the Federal civilian community, by providing incident
handling services to civilian agencies and by building agency competence
and self-reliance in incident handling. The military incident handling
coordination service is provided by the Department of Defense's ASSIST
team and numerous industry teams serve private sector constituencies.
The use of information technology is integral to President Clinton's
plan of re-engineering the Federal Government to make its services more
accessible, more efficient, and easier to use. In 1993, President Clinton
formed the Information Infrastructure Task Force (IITF) to deploy the National
Information Infrastructure and Vice President Gore established the Government
Information Technology Services (GITS) working group under the IITF "to
improve the application of information technology by government agencies."
Established in fiscal year 1995, the GITS IT Innovation Fund provides "seed"
money for innovative IT projects in the Federal community.
FedCIRC Selected As GITS Project:
Initially proposed to GITS in March of 1996, the idea to establish a government-wide
Incident Response Capability (IRC) was not a new one; however, the National
Institute of Standards and Technology's (NIST) proposal offered a rich
blend of experiences and the promise of immediate incident response capabilities
through the use of two existing, well-recognized teams, the Department
of Energy's Computer Incident Advisory Capability (CIAC) and the CERT(SM)
Coordination Center (CERT/CC). The proposal envisioned an IRC equivalent
to the Department of Defense incident handling team, ASSIST, and recommended
a close relationship between the IRC and ASSIST to ensure that all national
systems had access to IRC support.
On June 3, 1996, GITS granted $2,796,000 to NIST to establish a Federal
Computer Incident Response Capability (FedCIRC). The capability would assist
Federal civilian agencies in their incident handling efforts by providing
proactive and reactive computer security related services. By combining
the experience and expertise of NIST's Computer Security Division, CERT/CC,
and CIAC, FedCIRC could provide agencies with cost reimbursable, direct
technical assistance and incident handling support. NIST planned to subcontract
the operational incident handling capability to the CERT/CC and CIAC, keeping
the responsibility for operational management and for facilitating the
development of incident handling standards and guidelines by utilizing
the vulnerability data collected by FedCIRC. NIST also planned to use vulnerability
information in the analysis and testing of software and other products.
The goal of the FedCIRC project was to develop a self-sustaining response
capability that met the needs of the federal civilian agencies. To that
end, the FedCIRC objectives included:
to respond effectively and in a timely manner to security incidents by
analyzing the problem, determining the magnitude of the threat, providing
technical assistance to identify and close vulnerabilities, notifying sites
affected, and issuing advisories to warn of the problem and describe countermeasures;
to expand the limited coverage of existing agency computer response teams
by providing coverage for a broader range of incident types and technologies;
to provide agencies with guidelines on implementing vulnerabilities "fixes"
and other security controls;
to maintain a 24 hour, 7 days a week response service for emergencies and
a "help desk" function for normal business hours;
to facilitate the interaction with law enforcement agencies in the reporting
of security incidents involving violations of the law;
to assist federal law enforcement in evidence gathering, where appropriate;
to perform "tiger team" attacks and offer intrusion detection services;
to coordinate information sharing with other incident handling organizations,
including the Forum of Incident Response and Security Teams (FIRST); to
develop, distribute, and maintain publicly available security tools, incident
handling tools, and data gathering and reporting tools;
to coordinate with vendors and Internet service providers to provide critical
security patches and "work-arounds;"
to perform vulnerability analysis to identify a vulnerability's root cause
in order to identify other potential problems before they occur; and
to keep the federal community aware of the current threats through education
in current technology and associated threats, training for security and
network administrators on security practices; and awareness through Web
sites, ftp services, and guidance documents.
One of the most challenging aspects of FedCIRC was the need to quickly
create a virtual, seamless organization that spanned the Nation and offered
a focal point for incident response around the clock. NIST's role was the
overall management of FedCIRC, while CERT and CIAC performed the more traditional
operational roles. Prior to the start of the FedCIRC collaboration, each
entity had its own operating procedures and methods of conducting business.
To perform as a virtual coast-to-coast team, however, the three FedCIRC
collaborators agreed to a set of common procedures for coordinated activities
and NIST produced an Operations Manual to describe them.
During the pilot experience, the energies and resources of the FedCIRC
team (NIST, FedCIRC-East (CERT/CC), and FedCIRC-West (CIAC)) focused on
handling incidents, on educating agencies about the need for incident handling,
and on soliciting sponsorship for the continuance of the project.
Subscribers Of The Pilot Project:
The funding model used for the FedCIRC pilot was subscription based. Three
yearly subscription fees, paralleling three service levels, were offered:
platinum ($250,000 per year), gold ($110,000 per year), and silver ($50,000
per year). The philosophy behind the use of subscription levels was that
organizations needing more service (e.g., more hours of dedicated incident
handling, assistance to develop an organic incident handling capability,
evaluation of particular systems or subsystems) could acquire it, while
agencies and organizations requiring less service or merely wishing back-up
for "hard to handle" incidents could be covered at a reduced cost to them.
Six organizations signed on as FedCIRC subscribers during its pilot phase
and over three-quarters of a million dollars of subscription funds helped
sponsor the FedCIRC pilot after the first year.
The subscribers of the FedCIRC pilot are to be applauded as part of
the successful collaboration that demonstrated the feasibility of an incident
handling capability crossing agency boundaries. The subscribers were the
Bureau of Alcohol, Tobacco and Firearms; the Federal Supply Service of
the General Services Administration; the National Finance Center of the
Department of Agriculture; the Department of Justice; the Department of
State; and the U.S. Customs Service. These organizations recognized the
importance of incident response as an integral part of a good IT security
Several key lessons were learned from the FedCIRC pilot and they are summarized
in the points below.
A virtual team is viable. The virtual team approach works. Three diverse
organizations agreed upon operating procedures and successfully performed
as a cohesive team. Time and energy spent on establishing the team were
critical to its smooth operation and success.
All incidents are not equal. Computer security incidents range in scope
and size. The amount of effort to handle incidents varies with the complexity
of the incident and with the number of sites affected. Because of this,
it is very difficult to attach a cost per incident; however, for most organizations
a cost-benefit must be shown prior to support for incident handling.
Customers remain unaware of the threat and its potential impact. A significant
gap exists between those agencies aware of computer security issues and
those that are unaware. Many agencies still have an attitude of "it couldn't
happen here" or "it's not happening here." This lesson helped focus FedCIRC
on the need for additional training for users, managers, and administrators
of Federal IT systems.
Varying levels of security expertise exist. Agencies are at different stages
along the continuum of information security expertise -- some agencies
are newly connected, some agencies still cling to mainframe activities.
Many agencies are just beginning to attack the security issue. Knowledge
and skills of systems administrators range from novice to expert; however,
in general, an overall lack of computer security expertise is evident.
The subscription model for supporting an incident response team is inappropriate
and unworkable. Assistance must be available to all federal civilian agencies,
not just available to subscribers; and, in an ideal world, all agencies
would share the expense of such assistance. Like a fire department that
responds to any and all fires, not merely those of taxpayers in good standing,
an incident response team must help wherever problems exist, not merely
help with subscriber incidents.
FedCIRC is needed. The Federal civilian community needs assistance and
guidance now in handling computer security related incidents. And, a coordinated
approach to incident handling is extremely preferable.
The FedCIRC pilot demonstrated the need for coordinated incident handling
government-wide and the success of a virtual-team approach; however, the
problem of obtaining continued and continuous funding using the subscription
model remained problematical. The Chief Information Officers (CIO) Council
championed the project and facilitated its transition from proof-of-concept
to a mature information security service.
Under the auspices of the Office of Information Security at the General
Services Administration, the new FedCIRC will continue to be a collaborative
partnership of computer incident response and security professionals who
work together to handle computer security incidents and to provide both
proactive and reactive security services for the Federal government. While
FedCIRC will not replace existing agency or organizational response teams,
it will serve as the focal point for Federal civilian agencies when dealing
with computer related security incidents.
NIST Incident Handling Project
Over the coming months, the National Institute of Standards and Technology
(NIST) will continue to focus on incident handling by revising Special
Publication 800-3, "Establishing a Computer Security Incident Response
Capability (CSIRC)." Marianne Swanson and Fran Nielsen will use the experience
of FedCIRC to provide more guidance to agencies that want to leverage existing
resources to create a CSIRC. They will produce the revised document which
will include policy and procedures for setting up an incident handling
capability. The first draft of the revision is anticipated in February
The transition of FedCIRC from a pilot to an operational program is the
culmination of many months of collaborative efforts on the part of the
FedCIRC team and its subscribers. By way of closure, the FedCIRC team asked
subscribers to summarize their experience. Some subscribers were unavailable
for comment; however, those who responded were enthusiastic in their praise
of the pilot. For the ATF, Carol Widmayer commented that while the ATF
was fortunate enough not to need direct incident support during the pilot
phase, "we took full advantage of the FedCIRC workshops and seminars. Good
security training is hard to find and training budgets are tight. We found
the workshops and seminars provided valuable information for both protecting
our systems and for investigating incidents." John Feldman, State Department,
praised the pilot, saying "the FedCIRC training opportunities were terrific!"
On behalf of the DOJ, Vicki Lord said, "The Department of Justice appreciated
the opportunity to be a part of the FedCIRC pilot program. It was a valuable
learning experience which has enabled the Department to develop and implement
a more pro-active computer security program. The opportunities for training,
information sharing, and assistance were excellent." Recalling one of the
pilot's key objectives— to raise the awareness of the federal community
to sound computer security practices— the FedCIRC pilot constituency indicates
that this objective was most effectively met. Congratulations on the success
of the FedCIRC pilot and best wishes for the future as FedCIRC goes operational!
Statistics From FedCIRC Pilot
The number of incidents handled has grown signficantly over the lifetime
of the pilot. In addition, the methodology for collecting and reporting
incident statistics evolved as the pilot matured. In the first year of
the pilot, FedCIRC-east (CERT) and FedCIRC-west (CIAC) handled 244 incidents
affecting thousands of sites. These incidents were broken down into various
types and the ripple effect impacted thousands of sites. In 1997, eighty-four
FedCIRC advisories were circulated. As of FY98, NASA's incident handling
team, NASIRC, joined in the reporting mechanism and their incident statistics
were incorporated into the overall number of .gov-related incidents handled
by the three teams: FedCIRC-east (CERT), FedCIRC-west (CIAC) and NASIRC.
For the first quarter, the number of incidents handled was 159 and the
number of FedCIRC information requests was 63. In the first half of fiscal
year 1998, the three teams responded to 442 .gov incidents; these incidents
affected tens of thousands of sites. By the end of fiscal year 1998, the
number of .gov-related incidents handled totalled 1,683 and 259 requests
for information were answered by FedCIRC. One-hundred and eleven FedCIRC
alerts were posted in FY98. The FedCIRC pilot web site was accessed nearly
370,000 times in FY98. During the pilot period, the FedCIRC team gave twenty-one
seminars, trained thousands of Federal employees and their contractors,
and visited scores of organizations to raise their awareness about the
need for increased IT security measures, including incident response. NIST
is in the process of analyzing the pilot's incident statistics. The analysis
will consist of a break-down of these incidents into category, exploit
used, and number of sites and hosts affected by the incident. When completed,
this analysis will be posted on the NIST websites:
Back to Incident Handling Homepage
Please send comments or suggestions to firstname.lastname@example.org
Last Modified: December 18, 2013.