The Critical Infrastructure Assurance Office (CIAO) is an inter-agency organization established in 1998 by Presidential Decision Directive 63. Under PDD- 63, the Commerce Department is responsible for providing administrative support to the CIAO
The Secretary has delegated this responsibility to BXA.
The major functions of this Office are to provide administrative and planning support on critical infrastructure protection (CIP) issues to the National Security Council and the NSC's National Coordinator for Security, Infrastructure Protection and Counter-Terrorism, and to support the development of the National Plan for Infrastructure Assurance. The Office is also responsible for assisting Agencies in identifying their dependencies on critical infrastructures, and coordinating a national education and awareness program, legislative issues, and public affairs.
The CIAO had lead responsibility for developing version 1.0 of the National Plan for Infrastructure Assurance. This initial-version Plan, which was released in a White house ceremony by President Clinton in January, 2000, focused on the Federal government's efforts to improve information systems protection. Later versions of the Plan will expand its scope to discuss physical security issues involved in CIP, and will feature the private sector's role in infrastructure protection.
Over the last year and a half, the CIAO has worked closely with Federal Lead Agencies responsible for fostering effective CIP practices in individual industry sectors, and with private industry as a whole, to improve the nation's planning in the CIP area.
These initiatives are garnering self-sustaining industry actions, as well as laying a foundation for future cooperative initiatives. Partnering efforts fall under two major categories: sector partnerships and cross-sector partnerships that support the individual sector efforts.
A part of CIAO's mission is to coordinate a national education and awareness program to promote critical infrastructure assurance. CIAO promotes activities that inform business and technology leaders across industry and public institutions of the need to manage the risks that come with the benefits associated with reliance on information systems. CIAO focuses on initiatives that cut across industry sectors and are not the existing responsibility of agencies. In these initiatives, CIAO focuses on the policy, strategy and investment decision-making leadership across industry.
As industries began to organize themselves into partnerships with Federal Lead Agencies, they identified a need for cross-industry dialogue and sharing of experience to improve effectiveness and efficiency of individual sector assurance efforts. The PCIS was convened in response to that expressed need.
The Partnership provides an awareness and participatory forum for government and owners and operators of critical infrastructures to address cross-industry issues of mutual interest and concern. It encourages opportunities for mutual support and action across the sectors. It also engages other stakeholders in CIP, including the risk management (audit and insurance), investment and mainstream business communities. It builds upon public private efforts underway between lead Federal Agencies and Sector Coordinators designated for each of the critical infrastructure sectors. The Partnership is organized by industry for industry, with the U.S. Government acting as a catalyst and a participant.
Major PCIS activities include:
Interdependency Vulnerability Assessment and Risk Management
Cross Information Sharing,
General Industry Awareness and Outreach
Common Legislative and Public Policy Issues
Research and Development and Workforce Development
Input into subsequent versions of the National Infrastructure Assurance Plan
Outreach to state and local governments
An exploratory meeting with industry was convened on December 8, 1999, hosted by Department of Commerce Secretary in New York. The first industry organizing meeting was held on February 22, 2000 in Washington, D. C. at the U.S. Chamber of Commerce facilities, attended by over 135 company representatives. The Partnership held its midyear meeting in San Francisco on July 27, 2000, with representatives from industry, state and local and Federal governments attending. An agreement was reached by industry to work individually and together on providing input into the National Plan by end of March 2001. A governance structure was put in. place in the form of a coordinating committee that included all the sector coordinators from each of the industry sectors listed in PDD63 with the government sector liaisons as ad hoc members. The Coordinating Committee of the Partnership has provided an interim status report of its accomplishments and activities to date, which is contained in Part VI of this report.
The business risk management community, consisting of auditors, financial security analysts, the insurance community, the legal community and financial reporting boards serve as unique channels of communication to senior leadership of industry. Their role and responsibility to senior leadership are to assess business risks, communicate noteworthy changes to those risks, and support the management of them. Starting in second quarter, 1999, an awareness and education partnership was implemented by CIAO
with a consortium consisting of The Institute of Internal Auditors (IIA), National Association of Corporate Directors (NACD), the American Institute of Certified Public Accountants (AICPA), and the Information Security Audit and Control Association (ISACA). This consortium brought the involvement of a number of noted insurance firms, risk management professionals, legal counsel with particular expertise in information systems, respected corporate Board members, audit experts and financial security analysts from Wall Street.
The consortium held a series of five regional conferences, called "Audit Summits", kicked off with a high profile event in Washington, D.C. on April 18 ,2000. These meetings were hosted or sponsored by prominent corporations that included JC Penney's, Home Depot, New York Life Insurance, Oracle Corporation, Arthur Anderson, Deloitte & Touche, Price WaterHouse Coopers, and KPMG. The target audiences were directors of corporate Boards, chief auditors, and other corporate senior executives. The meetings rolled out a report, "A Call to Action for Corporate Governance: Information Security Management and Assurance ". This report provided guidance for corporate Boards on managing information security risks. In addition, a report by a noted Wall Street analyst was distributed on the possible effect of disruptions of information systems on shareholder value, "Information Security Impact on Securities Valuation ". Various discussions on corporate insurance, risk management and liability along with these two reports formed a "business case for action" relevant to Boards of Directors and corporate executives. Over 10,000 copies of the guide were distributed in the year 2000 to corporate directors across the U.S. IIA, who led and coordinated the "Audit Summits" for the consortium, rolled out a final report in October summarizing the conferences to over 300 of its chapters across the U.S. (including a videotape) as an education tool for auditors and also as support for tailored development and delivery of a "case for action" to their own corporate Boards. Press coverage for the Audit Summits ranged from the Wall Street Journal to Reuters to UPI to Computer World, as well as television such as CNN, local channels from CBS, NBC, and ABC.
As part of this initiative, CIAO staff also briefed financial security analysts in New York on the business issues related to information security. These briefings reinforced analysts' understanding of the importance of managing information technology properly, including the security of those information systems. The briefings also appeared to reinforce an emerging analysts' view that the information security segment of the information technology industry merits independent tracking and assessment. Salomon Smith Barney published an Equity Research Report in September on "Internet Security Software", laying out the landscape of the market for information security software (and services), describing the market drivers and scope, thereby "defining" information security as a noteworthy market segment in the financial security markets for probably the first time. This report was distributed to institutional investors across the United States.
Mainstream Industry Leadership: As part of its "partnership" with CIAO, the U.S. Chamber of Commerce has agreed to help distribute the "Call to Action for Corporate
Governance: Information Security Management and Assurance" to its affiliate chapters (about 3000 of them) across the U.S. once CIAO completes tailoring the material for their use.
Corporate Boards of Directors: The National Association for Corporate Directors (NACD) held a panel on Information Security and Corporate Governance in its program for its annual membership meeting in October, 2000. The panel included a Chief Financial Officer, a corporate President and Chief Operating Officer, and a Senior Partner of a services firm. NACD has initiated of its own volition a survey and development of a "best practices" white paper for Board oversight of information security. It has asked that CIAO provide advice as a "partner" during the development process. As a result of its participation in the Audit Summits, NACD's leadership has identified information security as an emerging issue on which it will continue to educate and provide support for its membership (many of whom sit on Boards of corporations from the Fortune 5000).
CEOs and CIOs: As a result of a representative attending an Audit Summit, CXO Media, Inc., publishers of CIO Magazine (CIO audience) and Darwin (CEO audience) is cooperating with the CIAO in a "partnership" to raise awareness and understanding of the issue of information security and management, targeting specifically CIOs and CEOs of Fortune 5000 companies. As part of this cooperation, CXO Media, Inc. and CIAO cosponsor two Internet Security Policy forums, specifically on information security related policies and strategies, and CXO Media will insert a session in each of its major annual conferences on CIP and information security.
The first Internet Security Policy Forum was held and web cast on September 27, 2000 in Washington, DC Feedback from the audience indicated it was effective and successful. The entire event was archived and is available for reference on CLO Magazine's web site. Sessions on CIP and information security were inserted into CIO Magazine's annual conferences in September and October. An average of 400 CIOs and other corporate executives attend these prestigious, invitation only events. CIAO co-hosts these sessions. The next conference, scheduled for January 30, 2001 will include a prime time session on "Protecting Infrastructures Across Borders," that will include public speakers from the U.S., Canada, Europe, and the Pacific Rim. As a result of the education provided by these sessions, enough interest has been generated such that both Darwin and CIO Magazines have begun to publish editorials and articles regularly on the subject.
Due to its experience with its own outreach program, CIAO also provides support for the Federal Lead Agencies and their counterparts in industry for outreach and awareness building, specifically through the sponsorship of workshops on common issues shared by many of the sectors, including risk management approaches, information sharing, legal obstacles, etc. It has also provided support for the building of industry specific "business case for action", since the business cases for senior leadership in industry tend to center around common concerns such as business operational survivability, customer relationships and confidence, and investor and public confidence.
The National Colloquium for Information Systems Security Education
Our nation needs an information-literate work force that is aware of its vulnerability, as well as a cadre of information professionals who are knowledgeable of the recognized "best practices" available in information security and information assurance, as called for in Presidential Decision Directive 63. The National Colloquium for Information Systems Security Education (the Colloquium) was established to serve as a forum to bring government, industry, and academia together to meet those challenges.
The Colloquium provides a forum to discuss and form needed direction in Information Security undergraduate and graduate curricula, common requirements, specific knowledge, skills and abilities, certification requirements, and establishment of professionalization boards. International participation began in 1999, and is predicted to continue in 2001.
Primary issues that were dealt with during the annual conference in 2000 included the outlook for information security from an industry perspective and the educational requirements for the year 2000+; the need for and the identification of Centers of Excellence in Information Assurance Education and the educational requirements that academia, government and industry perceive as an educational necessity. Working partnerships also continued to be strengthened among the participants with a commitment to expand more effective communications and to share information security resources; an agreement to continue the living body of the Colloquium and the annual conference; and, to further enhance its role as a forum for dialogue and collaboration among the three distinct constituencies represented.
Project Matrix is a three-step process. Step 1 identifies and prioritizes Federal departmental assets in terms of their role in fulfilling national security, national economic stability, or public health or safety missions. In Step 2, a functional analysis identifies and evaluates the specific dependencies of the highly critical Federal assets identified in Step 1. Step 3 addresses the services provided by public utilities (including electrical power, telecommunications, oil and natural gas, water and sewage, and transportation networks), their assets and their functional support elements. This assessment will tie to efforts coordinated through the agencies acting as Sector Leads.
|Current Status of Project Matrix Assignments|
|Step 1 Completed:||Department of Commerce C
(Proof of Concept - 1999)
Social Security Administration
Department of the Treasury
Department of Health & Human Services
|Step I Initiated:||Department of Energy|
|Step 2 Completed:||Department of Commerce C
(Proof of Concept - 2000)
|Step 2 Planned:||Social Security Administration
Department of the Treasury
Department of Health & Human Services