Agencies to share custom IT security training practices

A new strategy for information security training that relies on agencies to share specialized products and best practices will roll out by the end of 2008, said representatives from the Homeland Security Department Tuesday. But without requirements for agencies to take advantage of such services, a lack of training may continue to threaten the security of federal networks, they said.

The 2002 Federal Information Security Management Act and the information system security line of business, or ISS LOB, which is part of the 2001 President's Management Agenda, encourage a common suite of ISS training products and services to ensure that government employees follow protocol for protecting sensitive information. By Sept. 30, 2008, agencies are required to implement security awareness training from approved shared service centers offered by the Defense Department, Office of Personnel Management and a joint effort between the State Department and the U.S. Agency for International Development. According to the Office of Management and Budget's 2007 report on FISMA implementation, slightly more than 138,500 employees--or 4 percent--in large agencies received security awareness training via the ISS LOB.

"Security awareness training is required annually," said Michael Smith, ISS LOB program manager at DHS, during a conference of the Federal Information Systems Security Educators' Association, an organization run by and for government ISS professionals. "If you comply, it's supposed to be enough. I contend it's not. We should be providing training on a continuous basis and look at the effectiveness of that training…. There's a lot that needs to be done. Leadership needs to place more emphasis on education; [otherwise], we'll continue to make small steps." A request for proposals will be released soon for private sector vendors to offer security awareness training products through the General Services Administration, he said.

Beyond training, the ISS LOB recommends, though doesn't require, that employees receive specialized instruction in information security more customized to their roles and the primary business processes of their agencies. According to a survey of federal employees conducted by the volunteer cross-agency workgroup that is developing the information security training standards, less than half of respondents have a role-based security training curriculum, and 80 percent said they would like training services provided by the shared service centers.

"The overarching objective [of the workgroup] has been to identify common requirements that could be addressed by governmentwide shared solutions," said Brenda Oldfield, director of education, training and workforce development at Homeland Security. "There are things happening, but probably not enough."

Education on best practices for specific roles in the agency, dubbed as ISS LOB's "tier II" training, will be offered through a shared services provider model. Separate from the shared service centers that assist agencies with security awareness training, shared service providers would, on a volunteer basis, offer role-based training products and services they've used internally. Ideally, these services would be maintained on a Web site similar in function to the Component Organization and Registration Environment (core.gov), which provides business process software that agencies across government can leverage. But with no requirement attached to tier II training, questions remain about funding and management of such a Web site and initiative.

"The vision is to go to agencies and see if they're willing to provide their own offerings, so in some way we can help each other," said Susan Hansche, the training director for information assurance at Nortel Government Solutions in Fairfax, Va., the company that manages role-based information assurance training for the State Department. "This does mean [that] agencies will need to be willing to share. I wanted to mandate that [agencies] offer a Web site [promoting their offerings], but I lost."

Efforts for the tier II ISS LOB training are ongoing. Currently, the workgroup is promoting allocated funding for the customized training, as well as for a separate training series for those who hold IT security positions, interagency exercises for real world experience, and policy from the Office of Personnel Management requiring some form of training certifications.

"In the short term, the resources are not there," Smith said. "It won't be until the fourth quarter of this year that you might see a tier II statement of capability" that outlines the initiative.