Sra: Company That Protects America\'s Vital Infrastructures

SRA International Study

Focusing its professional experience and talents on departments of the federal government's national security agencies was smart for SRA because there are a multitude of aspects within each department that need security and impenetrable services. In other words, there is an enormous amount of work for a security agency that is tackling those crucial issues in thirteen of the fifteen departments linked to the executive branch of the federal government. Moreover, providing IT services for the Joint Chiefs of Staff and the four military departments is an enormous job, which pays well of course but is also vital to the security of the nation. On top of those duties, SRA has a huge workload securing two of the largest agencies in the federal government. For example, the U.S. Department of Homeland Security -- established after the terrorist attacks on September 11, 2001 -- has numerous agencies within the Department which require security, including Domestic Nuclear Detection Office, Office of Intelligence and Analysis, Science and Technology Directorate, U.S. Secret Service, Immigration and Customs Enforcement, Transportation Security Administration, among several others. And the U.S. Department of Defense has a powerful need to secure its command and control, its communications, intelligence, reconnaissance and surveillance components, and so SRA has its hands full with the duties and responsibilities vis-a-vis these two massive federal agencies -- and all the individual departments within those behemoths. Beyond those responsibilities mentioned in the paragraph above, there are a myriad of other IT-related and security-related services that SRA provides, including training and web-development in other departments like the EPA, Veterans Administration and the Agency for International Development.

Open source intelligence is defined as those informational sources that are not hidden, but instead are found on television, in newspapers, over the radio and magazines, on the Internet and elsewhere. Gathering and analyzing these sources of intelligence -- SRA uses what it calls "NetOwl" text mining software -- is part of the job of protecting America and its assets. There is a strong relationship between open source intelligence and the need for security in the United States. SRA's software can analyze unlimited numbers of reports and newspapers and web pages -- and can translate this data from Farsi, Korean, Spanish, French, Arabic, English and Chinese -- through its text and mining capabilities. Businesses (and individuals who post information on Facebook, etc.) should be concerned about their open source materials because with data mining functionality, a company like SRA can find and store data from any company's spreadsheets and databases.

Critical infrastructures, according to the Department of Homeland Security, are the "…assets, systems, and networks, whether physical or virtual," that are so important that having them violated could negatively impact U.S. economic security and the public health and welfare (DHS). According to the SRA report, the United States' critical infrastructures include: the Department of Defense, Department of Homeland Security, Department of Health and Human Services, the General Accounting Office, the Treasury Department and the Environmental Protection Agency. As for examples within the Homeland Security Department, there are several critical infrastructure sectors, including the "chemical sector," the "communications sector," the "dams sector," the "energy sector," the "emergency services sector" and the "energy sector," among others.

The importance of improved interoperability -- one system using parts of another system, or interacting by sharing data and interpreting shared data with another system -- cannot be overstated when it comes to protecting American critical infrastructure from hackers, terrorists, or others who would bring harm to the United States. For example, the SRA has provided privacy training for government personnel, SRA is "integrating privacy policy across" several federal agencies, an example of interoperability. The security strategies that work for the Department of Homeland Security in most cases also work for the Department of Defense; and hence, interoperability and interrelationship cooperation are vital when it comes to protecting federal agencies from attack or compromise.

When FISMA replaced the Government Information Security Reform Act (GISRA) it was done to plug certain holes -- things that were left out and hence created the possibility of breaches to security -- that were in existence because of GISRA. In fact GISRA did many of the things that FISMA does, including develop security policies and submit those policy plans (and a compliance report) to the Office of Management and Budget. However under GISRA agencies were not provided funds to agencies that could pay for assessments of their security measures, and FISMA does provide those funds. The GISRA also did not provide specifics as to the kinds of IT controls that agencies should put in place and there were no standards through which risk levels could be determined. The FISMA guidelines are far more specific, and FISMA gives each federal agency eight requirements to comply with.

Those eight FISMA requirements are a very good model for business information security programs because they provide specifics on the risks that departments face and they implement a strict set of procedures which help mitigate risks associated with any security incidents. Moreover, the eight FISMA requirements call for action plans that supposedly will zero in on weaknesses in an agency's security plan -- and provide a way to resolve those deficiencies.

It appears that the reason so many agencies failed their security report card, or got poor grades in that report card, is that those agencies were compromised when it comes to confidentiality, integrity. In other words, an F. Or D- means that the security objectives were simply not met. Moreover, the SRA report itself says that complying with FISMA regulations is "…a complex task that requires each federal agency to conduct an in-depth security assessment," and for several of the agencies that got poor grades, this task was obviously not met, and hopefully the agencies that failed miserably can learn from this report and be better prepared to present a workable security plan the next time around.

When it comes to the difference between the federal government's guidelines regarding information security (legal regulations) and private industry's guidelines, there are no across the board rules and regulations for private industry. Each corporation or private entity must carve out its own security regulations, and there is no federal law requiring private industry to enact specific regulations. There is also no federally mandated strategy which non-governmental organizations and businesses must comply with.