PLAN   
Strategic Plan > Index to Action Papers > Information Technology Security Program

Information Technology Security Program

Action:


The USPTO requires a funded, effective information technology (IT) security program that is compliant with the Federal Information Security Management Act (FISMA).

Background Information:


USPTO has made substantial investment in assuring information systems including firewall implementation, Public Key Infrastructure (PKI) secured transactions with inventors, and encryption on local network segments. These efforts, while meritorious, do not sufficiently rise to the challenge of information assurance and the standard of protection required by the intellectual property in USPTO care. Several Office of Inspector General (OIG) audits identify the increasing diligence required of USPTO and any agency that depends on automated systems or e-Government initiatives. Despite other efforts, USPTO must communicate its ability to certify and accredit (C&Amp;A) its systems and address increased requirements to assure international-based transactions.

In response, USPTO justified the expansion and restructuring of the IT Security Program Office (ITSPO). Pending the appointment of a Director and three new positions, a Program Manager was assigned to aggressively address gaps in current versus desired capability. The USPTO Security Program predicts substantial investment required to establish initiatives followed by increased budgetary emphasis for maintenance as compared to previous years.

A very significant effort in the next two years and on a continuing basis is the certification and accreditation effort. Existing USPTO staff lack expertise on accomplishing accreditation in compliance with prevailing standards[1]. Furthermore, at existing staffing levels, ongoing maintenance and enhancement of systems provides limited availability to overcome the steep organizational change required initially. Consequently, contracted staff will be relied upon to provide the necessary expertise and expansion of capacity.

Projects requiring additional funding in fiscal year 2004 and in the out-years are the following:

(1)   Certification and Accreditation of USPTO Automated Information Systems;

(2)   Compliance Testing;

(3)   National Institute of Standards and Technology (NIST) Self-Assessments;

(4)   Infrastructure Protection;

(5)   Operations and Maintenance; and

(6)   IT Security Training.

Certification and Accreditation of USPTO Automated Information Systems


The Office of Management and Budget (OMB) Circular A-130 Appendix III defines requirements for certifying and accrediting the security of USPTO automated information systems for processing sensitive information. All operational systems must be certified and accredited with reviews of security controls every three years. The USPTO has developed a plan for the certification and accreditation of all USPTO operational systems for compliance with OMB Circular A-130. A number of certifications and accreditations are under way. Additional funding to support this activity will be required beginning in fiscal year 2004.

Compliance Testing


Compliance testing is conducted to provide evidence of compliance with IT Security laws, directives, and policies. Compliance testing includes Security Test and Evaluation (ST&E) methods as part of the development lifecycle. It also includes appropriate audits and vulnerability testing to ensure all elements of the operational system security posture are consistent with those envisioned during development. The Department of Commerce, in cooperation with the OMB, the Government Accounting Office (GAO), and the Congress, is instituting a program for compliance testing of major systems in each of its operating units. The USPTO must, therefore, develop a plan for compliance testing for USPTO systems and obtain funding support.

NIST Self-Assessment


Self-assessments provide a method for Department of Commerce and other agency officials to determine the current status of USPTO information security programs and, where necessary, establish a target for improvement. This self-assessment guide utilizes a lengthy questionnaire containing specific control objectives and techniques against which each automated information system is to be tested and measured. The control objectives and techniques are abstracted from requirements found in statute, policy, and guidance on security. A self-assessment was performed in fiscal year 2001, but these assessments are required annually. Additional funding to support this activity will be required beginning in fiscal year 2004.

Infrastructure Protection


Included in this project are systems critical for the protection of the USPTO network and the operational systems on the network. USPTO has unique relationships with patent offices in foreign jurisdictions. Agreements with these offices include reliable exchange of sensitive information (e.g. Trilateral Offices -- the European Patent Office (EPO), the Japan Patent Office (JPO) and the USPTO). USPTO needs funding to assure this secure network in accordance with standards by international agreement. Furthermore, within OIG and independent internal audits, inspectors recommend that the USPTO procure, install, and maintain an expanded intrusion detection capability.

Operations and Maintenance


This ongoing project includes implementing more robust procedures for regularly updating USPTO's enterprise infrastructure to maintain compliance with the enterprise security architecture.

IT Security Training


There are three basic types of IT Security Training: Management, Technical, and User Awareness. Managers are required to be knowledgeable of their security responsibilities and principles of effective risk management. Personnel in jobs administering and maintaining operational systems are required to be knowledgeable of IT security vulnerabilities, how to correct these vulnerabilities, and what technical procedures should be implemented for maintaining secure operational systems and their infrastructures. OMB Circular A-130 Appendix III requires that all government employees and contractors take user awareness training once a year. In June 2002, all USPTO employees completed IT security user awareness training. This training will be repeated annually. Plans are in place to expand management and technical training.

Other Options Considered:


Given Federal laws regarding information system accreditation and the protection of intellectual property, the objectives of the USPTO Security Program are mandatory. Discretion can be applied in the means, schedule, risk and cost by which the objectives are achieved. In response to an OIG recommendation that all USPTO systems receive accreditation by fiscal year 2003, USPTO proposed an alternate completion schedule by which all high-risk systems would be accredited by fiscal year 2003 and all remaining systems by fiscal year 2004. As previously stated, USPTO staff would require additional expertise to accomplish formal accreditation and there would be substantial impact to planned business user productivity if USPTO staff were reallocated to the security program.

Alternatives include:

        Do not establish and maintain a revised IT security program

        Revise IT security program incrementally

        Conduct agency organizational change effort and integration of IT security program

Option 1 Impact -- Do not establish and maintain a revised IT security program:


       The USPTO's current status of non-compliance will continue for a minimum of five years due to lack of resources to establish an effective IT security program.

       The USPTO will continue to be scrutinized by the OIG and the subject of additional negative reports.

-       Requires use of resources to respond to reports instead of establishing program (which could reduce scrutiny).

-       Requires burdensome extra reporting to the OIG.

       The USPTO's customers will continue to question the reliability of automated information systems.

       OMB and Congress will eventually use budget constraints to force compliance.

       Funding and resources can be allocated to other priorities.

       USPTO will be operating at an unqualified level of risk which results in marginal increase to the probability of compromise.

This option is not recommended because it does not allow for us to address the OIG's
and the Department's IT security concerns in a reasonable timeframe.

Option 2 Impact -- Revise IT security program incrementally:


       Focused efforts in critical areas will achieve operational security and regulatory compliance.

       Combined teams of contractors and agency staff will create specific project plans for specific audit item objectives.

       Less impact to production system enhancement schedule than Option 3.

       Positions agency positively for more comprehensive organizational change.

       Agency staff has requisite system and culture knowledge to most efficiently drive organizational change. Dependency on contractors with this option increases cost and quality risks.

       Prior security culture will not be radically modified and bound qualitative improvements.

This option is recommended.

Option 3 Impact -- Conduct agency organizational change and integration of IT security program:


       Agency staff would contribute unique system and culture knowledge to address pervasive issues of security.

       Revised processes would reflect an enduring organizational change in all aspects of system development and operations (planning, staffing, budgeting, testing, training, etc).

       Agency would realize highest quality of security program, exceeding regulatory requirements and positioned for continual improvement.

       Lower incremental cost as contractor staff are required for subject matter expertise only.

       Greater lag time between the initiation of security program revision and the achievement of regulatory compliance.

       Reallocation of agency staff from existing development efforts would severely impact the aggressive business system enhancements required to streamline USPTO processes.

This option is not recommended because the security program must be balanced with other strategic objectives that seek business process improvements through automation. Excessive emphasis of the security program would preclude these objectives.

USPTO Recommended Course of Action:


Option 2, conduct an incremental revision of the IT security program using government and contractor staff support, is recommended.

       The USPTO must comply with IT security laws, policies, and guidance.

       Because of OMB, GAO, OIG, and Department of Commerce oversight, the criticality of establishing an IT security program has greatly increased.

       The Office of the Chief Information Officer does not have the staff or expertise to establish and maintain an IT security program in compliance with government law, policies, and guidance.

All USPTO employees must be trained to the degree that their job responsibilities relate to using, managing, administering, and maintaining IT systems.

Risks:


Without adequate protection of the integrity and availability of USPTO automated information systems, the USPTO is at risk of the following:

       Financial loss (revenue, market impact)

       Disruption of service of automated information systems

       Damage to automated information systems and infrastructure

       Data loss or alteration

       Information loss or alteration

       Property loss

       Embarrassment and loss of trust and goodwill

Return on Investment:


The expense related to the USPTO IT Security Program can be justified by savings realized in reduced federal expenses related to audits and by a reduction in probability of loss. Neither element can be definitively quantified, but are supported by qualitative arguments.

The deficiencies related to Federal Law imply a reduced operational posture that increases the likelihood of system compromise. Given the worldwide exposure of USPTO systems through the Internet, an instance of disclosure or corruption of confidential US intellectual property would result in substantial losses. Each patent and trademark application carries a market value. Particularly in the case of patents, disclosure of patent status (e.g. progress towards approval) could affect equity positions of the relevant company and competitors. Corruption of patent content could result in application rejection and an opportunity for inappropriate approval of a competing application. Any one instance of security breach could imply breach of the more than 300,000 applications received annually resulting in market impact and costs to restore confidence. USPTO does not have reliable estimates on security breach probability, market impact, or cost to restore confidence. However, unavailability of system access for examiners implies a $7 million per day recovery expense for the USPTO. Assuming a 30 percent impact to productivity, responding to a major security incident would cost $2.1 million per day in revenue alone. It takes only two days of impact per year to quantitatively justify the Security Program initiatives. However, other costs are likely to be an order of magnitude larger, creating a compelling qualitative justification.

Proof of Concept:


Investments risks are mitigated with a proof of concept. The proof of concept provides:

       Evidence supporting planned value

       Early identification of implementation risks

       Increased quality based on lessons learned

With appropriate exceptions, the Security Program will leverage managed phases in implementation to better assure return on investment for this effort.

The USPTO is approaching IT Security in layers. For example, the Office is Certifying and Accrediting its perimeter infrastructure as a prerequisite to internal business systems. This layered approach enables the USPTO to prove its approach in limited and "interest bearing" areas to reduce overall risk and subsequent effort. Internal business systems will inherit the security posture of the perimeter system facilitating the business system accreditation. In this sense, each effort is staged in consideration of proof of concept objectives.

Certification and Accreditation


(C&Amp;A)


of USPTO Automated Information Systems


The measure of success for C&Amp;A is the ability to plan work to complete an accreditation effort on a business system and therefore enable accreditation to become a part of the system lifecycle. This Security Program includes elements of organizational change and infrastructure definition to facilitate business application accreditation by January 2003. Therefore, the C&Amp;A Proof of Concept will be the May 2003 accreditation of the USPTO Financial Support System. This business system began formal C&Amp;A tasks in January 2003. Collected metrics will include qualification of accreditation status and level of effort to accomplish accreditation. Lessons learned from this initial business system accreditation will be leveraged for subsequent systems.

Compliance Testing


Compliance testing consists of periodic internal inspections, independent audits, and ST&E programs. Independent audits have been conducted previously at USPTO and are well-understood efforts that preclude the need for a dedicated proof of concept. Internal inspections and ST&E programs will be prototyped via the Certification & Accreditation work stream. Therefore, no dedicated Proof of Concept is planned in support of compliance testing.

NIST Self-Assessment


The NIST Self-Assessment is also a modest budget element, however, in this case a proof of concept is warranted. If not managed, the self-assessments are likely to adversely impact the system teams responsible for solution development. Managing the right questions to the right roles greatly facilitates the quality and efficiency by which these assessments are accomplished. The objective metric in the NIST questionnaire proof of concept is total effort to complete. The proof of concept will establish a baseline for subsequent efforts and will be complete in May 2003.

Infrastructure Protection


The Infrastructure Protection includes three system efforts: Host-based Intrusion Detection System, Trilateral Network, and Firewall consolidation. In accordance with existing USPTO Lifecycle Management (LCM) procedures, quality assurance and operational validation will occur. Since the LCM process is demonstrably mature, the USPTO Security Program Manager will defer proof of concept objectives to it.

Operations and Maintenance


The operations and maintenance methods of the Security Program are well understood and do not require a proof of concept to validate. Cost and schedule efficiency would be reliably realized without a pilot effort.

IT Security Training


Training represents a critical enabler of other elements of the Security Program, C&Amp;A in particular. The ability to effectively communicate methods and procedures to day-to-day practitioners enables security by design versus security by inspection. Creative methods of training delivery will be employed to overcome the lack of time and preponderance of information burdening USPTO staff. These methods will be evaluated in a proof of concept for efficiency of effort, attendance, information retention, and student positive perception. The proof of concept will occur upon initial course development in March 2003.



[1] NSTISSI 1000 (NIACAP) has been selected by Department of Commerce until such time as NIST 800-37 achieves appropriate agency adoption.
Implementation Schedule
Work Breakdown Structure Task Name Start Finish Project Lead
39 E-Government 4: CIO-01 - IT Security Program 04/01/02 12/29/06 J. Hurford
39.1 Certification and Accreditation (CIO-01) 04/03/02 09/29/06
39.1.1 Pilot C&A of first five AISs (CIO-01) 04/03/02 09/13/02
39.1.2 Perform C&A for FY03 Target Group of AISs (CIO-01) 10/03/02 09/30/03
39.1.3 Perform C&A for FY04 Target Group of AISs (CIO-01) 10/01/03 09/30/04
39.1.4 Perform C&A for FY05 Target Group of AISs (CIO-01) 10/01/04 09/30/05
39.1.5 Perform C&A for FY06 Target Group of AISs (CIO-01) 10/03/05 09/29/06
39.2 Self-Assessment of IT Security Controls (CIO-01) 01/03/03 12/29/06
39.2.2 Perform NIST Self-Assessments of All AISs (CIO-01) 01/03/03 09/30/03
39.2.3 Perform NIST FY04 Annual Self-Assessments for all USPTO AISs (CIO-01) 10/01/04 12/31/04
39.2.4 Perform NIST FY05 Annual Self-Assessments for all USPTO AISs (CIO-01) 10/03/05 12/30/05
39.2.5 Perform NIST FY06 Annual Self-Assessments for all USPTO AISs (CIO-01) 10/02/06 12/29/06
39.3 Compliance Testing (CIO-01) 01/03/03 11/26/03
39.3.1 Develop Compliance Testing Plan and Procedures (CIO-01) 01/03/03 03/31/03
39.3.2 Perform Compliance Testing of Identified AISs Per FY (CIO-01) 06/30/03 11/26/03
39.4 Maintenance of Server Security (CIO-01) 03/31/03 09/02/03
39.4.1 Develop Procedures for Regular Update of Server Security (CIO-01) 03/31/03 05/30/03
39.4.2 Develop Contractor Tasking for Server Security Maintenance (CIO-01) 06/02/03 08/01/03
39.4.3 Award Contract and Implement Server Security Maintenance (CIO-01) 08/04/03 09/02/03
39.5 Host-based IDS (CIO-01) 11/15/02 02/02/04
39.5.1 Design Host-Based Intrusion Detection System (IDS) (CIO-01) 11/15/02 04/15/03
39.5.2 Purchase H/W for Host-Based IDS (CIO-01) 04/15/03 05/15/03
39.5.3 Purchase S/W for Host-Based IDS (CIO-01) 04/15/03 05/15/03
39.5.4 Perform Testing of Host-Based IDS (CIO-01) 09/02/03 11/26/03
39.5.5 Deploy Host-Based IDS on all Servers (CIO-01) 12/01/03 01/30/04
39.5.6 Implement Host-Based IDS (CIO-01) 02/02/04 02/02/04
39.6 IT Security Training (CIO-01) 04/01/02 09/29/06
39.6.1 Develop IT Security Training Plan (CIO-01) 04/01/02 12/17/02
39.6.2 Develop IT Security Training Program (CIO-01) 11/18/02 06/30/03
39.6.3 Distribute IT Security Training Plan to OCIO Managers (CIO-01) 05/15/03 05/30/03
39.6.4 Distribute IT Security Training Plan to non-OCIO Managers (CIO-01) 05/30/03 06/30/03
39.6.5 Complete Minimum FY03 Requirements Training of Managers (CIO-01) 05/02/03 09/30/03
39.6.6 Complete Minimum FY04 Requirements Training of Managers (CIO-01) 05/03/04 09/30/04
39.6.7 Complete Minimum FY05 Requirements Training of Managers (CIO-01) 05/02/05 09/30/05
39.6.8 Complete Minimum FY06 Requirements Training of Managers (CIO-01) 05/01/06 09/29/06
39.6.9 Complete Minimum FY03 Requirements Training of Technical Personnel (CIO-01) 05/02/03 09/30/03
39.6.10 Complete Minimum FY04 Requirements Training of Technical Personnel (CIO-01) 05/03/04 09/30/04
39.6.11 Complete Minimum FY05 Requirements Training of Technical Personnel (CIO-01) 05/02/05 09/30/05
39.6.12 Complete Minimum FY06 Requirements Training of Technical Personnel (CIO-01) 05/01/06 09/29/06
39.6.13 Complete FY03 IT User Awareness Training of all USPTO Employees and Contractors (CIO-01) 04/01/03 06/30/03
39.6.14 Complete FY04 IT User Awareness Training of all USPTO Employees and Contractors (CIO-01) 04/01/04 06/30/04
39.6.15 Complete FY05 IT User Awareness Training of all USPTO Employees and Contractors (CIO-01) 04/01/05 06/30/05
39.6.16 Complete FY06 IT User Awareness Training of all USPTO Employees and Contractors (CIO-01) 04/03/06 06/30/06
KEY: e Biz=online business system fees=fees forms=formshelp=help laws and regs=laws/regulations definition=definition (glossary)

Is there a question about what the USPTO can or cannot do that you cannot find an answer for? Send questions about USPTO programs and services to the USPTO Contact Center (UCC). You can suggest USPTO webpages or material you would like featured on this section by E-mail to the webmaster@uspto.gov. While we cannot promise to accommodate all requests, your suggestions will be considered and may lead to other improvements on the website.


|.HOME | SITE INDEX| SEARCH | eBUSINESS | HELP | PRIVACY POLICY