The USPTO requires a funded, effective information technology
(IT) security program that is compliant with the Federal Information
Security Management Act
USPTO has made substantial investment in assuring information systems
including firewall implementation, Public Key Infrastructure (PKI) secured
with inventors, and encryption on local network segments. These efforts,
while meritorious, do not sufficiently rise to the challenge of information
assurance and the standard of protection required by the intellectual property
in USPTO care. Several Office of Inspector General (OIG) audits identify
the increasing diligence required of USPTO and any agency that depends on
automated systems or e-Government initiatives. Despite other efforts, USPTO
must communicate its ability to certify and accredit (C&Amp;A) its systems
and address increased requirements to assure international-based transactions.
In response, USPTO justified the expansion and restructuring of the IT
Security Program Office (ITSPO). Pending the appointment of a Director and three
new positions, a Program Manager was assigned to aggressively address gaps
in current versus desired capability. The USPTO Security Program predicts
substantial investment required to establish initiatives followed by increased
budgetary emphasis for maintenance as compared to previous years.
A very significant effort in the next two years and on a continuing basis
is the certification and accreditation effort. Existing USPTO staff
lack expertise on accomplishing accreditation in compliance with prevailing
at existing staffing levels, ongoing maintenance and enhancement of systems
provides limited availability
to overcome the steep organizational change required initially. Consequently,
contracted staff will be relied upon to provide the necessary expertise
and expansion of capacity.
Projects requiring additional
funding in fiscal year 2004 and in the out-years are the following:
(1) Certification and Accreditation
of USPTO Automated Information Systems;
(2) Compliance Testing;
(3) National Institute of
Standards and Technology (NIST) Self-Assessments;
(4) Infrastructure Protection;
(5) Operations and Maintenance;
(6) IT Security Training.
Certification and Accreditation of USPTO Automated Information
The Office of Management and Budget (OMB) Circular A-130 Appendix III
defines requirements for certifying and accrediting the security of USPTO
information systems for processing sensitive information. All operational
systems must be certified and accredited with reviews of security controls
every three years. The USPTO has developed a plan for the certification
and accreditation of all USPTO operational systems for compliance with OMB
Circular A-130. A number of certifications and accreditations are under
way. Additional funding to support this activity will be required beginning
in fiscal year 2004.
Compliance testing is conducted to provide evidence
of compliance with IT Security laws, directives, and policies. Compliance
testing includes Security Test and Evaluation (ST&E) methods as part
of the development lifecycle. It also includes appropriate audits and vulnerability
testing to ensure all elements of the operational system security posture
are consistent with those envisioned during development. The Department
of Commerce, in cooperation with the OMB, the Government Accounting Office
(GAO), and the Congress, is instituting a program for compliance testing
of major systems in each of its operating units. The USPTO must, therefore,
develop a plan for compliance testing for USPTO systems and obtain funding
Self-assessments provide a method for Department of Commerce and other
agency officials to determine the current status of USPTO information security
and, where necessary, establish a target for improvement. This self-assessment
guide utilizes a lengthy questionnaire containing specific control objectives
and techniques against which each automated information system is to be tested
and measured. The control objectives and techniques are abstracted from
requirements found in statute, policy, and guidance on security. A self-assessment
was performed in fiscal year 2001, but these assessments are required annually. Additional
funding to support this activity will be required beginning in fiscal year
Included in this project are systems critical for the protection
of the USPTO network and the operational systems on the network. USPTO has
unique relationships with patent offices in foreign jurisdictions. Agreements
with these offices include reliable exchange of sensitive information (e.g.
Trilateral Offices -- the European Patent Office (EPO), the Japan Patent
Office (JPO) and the USPTO). USPTO needs funding to assure this secure network
in accordance with standards by international agreement. Furthermore,
within OIG and independent internal audits, inspectors recommend that the
procure, install, and maintain an expanded intrusion detection capability.
Operations and Maintenance
This ongoing project includes implementing more robust procedures
for regularly updating USPTO's enterprise infrastructure to maintain compliance
with the enterprise security architecture.
IT Security Training
There are three basic types of IT Security Training: Management,
Technical, and User Awareness. Managers are required to be knowledgeable
of their security responsibilities and principles of effective risk management. Personnel
in jobs administering and maintaining operational systems are required to
be knowledgeable of IT security vulnerabilities, how to correct these vulnerabilities,
and what technical procedures should be implemented for maintaining secure
operational systems and their infrastructures. OMB Circular A-130 Appendix
III requires that all government employees and contractors take user awareness
training once a year. In June 2002, all USPTO employees completed IT security
user awareness training. This training will be repeated annually. Plans
are in place to expand management and technical training.
Other Options Considered:
Given Federal laws regarding information system accreditation
and the protection of intellectual property, the objectives of the USPTO
Security Program are mandatory. Discretion can be applied in the means,
schedule, risk and cost by which the objectives are achieved. In response to an OIG recommendation
that all USPTO systems receive accreditation by fiscal year 2003, USPTO proposed
an alternate completion schedule by which all high-risk systems would be
accredited by fiscal year 2003 and all remaining systems by fiscal year 2004. As
previously stated, USPTO staff would require additional expertise to accomplish
formal accreditation and there would be substantial impact to planned business
user productivity if USPTO staff were reallocated to the security program.
not establish and maintain a revised IT security program
IT security program incrementally
agency organizational change effort and integration of IT security program
Option 1 Impact -- Do not establish and maintain
a revised IT security program:
USPTO's current status of non-compliance will continue for a minimum of
five years due to lack of resources to establish an effective IT security
USPTO will continue to be scrutinized by the OIG and the subject of additional
use of resources to respond to reports instead of establishing program
(which could reduce scrutiny).
burdensome extra reporting to the OIG.
USPTO's customers will continue to question the reliability of automated
and Congress will eventually use budget constraints to force compliance.
and resources can be allocated to other priorities.
will be operating at an unqualified level of risk which results in marginal
increase to the probability of compromise.
This option is not recommended because it does not allow for us to address
and the Department's IT security concerns in a reasonable timeframe.
Option 2 Impact -- Revise IT security program
efforts in critical areas will achieve operational security and regulatory
teams of contractors and agency staff will create specific project plans
for specific audit item objectives.
impact to production system enhancement schedule than Option 3.
agency positively for more comprehensive organizational change.
staff has requisite system and culture knowledge to most efficiently drive
organizational change. Dependency on contractors with this option increases
cost and quality risks.
security culture will not be radically modified and bound qualitative improvements.
This option is recommended.
Option 3 Impact -- Conduct agency organizational
change and integration of IT security program:
staff would contribute unique system and culture knowledge to address pervasive
issues of security.
processes would reflect an enduring organizational change in all aspects
of system development and operations (planning, staffing, budgeting, testing,
would realize highest quality of security program, exceeding regulatory
requirements and positioned for continual improvement.
incremental cost as contractor staff are required for subject matter expertise
lag time between the initiation of security program revision and the achievement
of regulatory compliance.
of agency staff from existing development efforts would severely impact
the aggressive business system enhancements required to streamline USPTO
This option is not recommended because the security
program must be balanced with other strategic objectives that seek business
process improvements through automation. Excessive emphasis of the security
program would preclude these objectives.
USPTO Recommended Course
Option 2, conduct an incremental revision of the
IT security program using government and contractor staff support, is recommended.
USPTO must comply with IT security laws, policies, and guidance.
of OMB, GAO, OIG, and Department of Commerce oversight, the criticality
of establishing an IT security program has greatly increased.
Office of the Chief Information Officer does not have the staff or expertise
to establish and maintain an IT security program in compliance with government
law, policies, and guidance.
All USPTO employees must be trained to the degree that their
job responsibilities relate to using, managing, administering, and maintaining
Without adequate protection of the integrity and availability of USPTO automated
information systems, the USPTO is at risk of the following:
loss (revenue, market impact)
of service of automated information systems
to automated information systems and infrastructure
loss or alteration
loss or alteration
and loss of trust and goodwill
Return on Investment:
The expense related to the USPTO IT Security Program can
be justified by savings realized in reduced federal expenses related
to audits and by a reduction in probability of loss. Neither element can
be definitively quantified, but are supported by qualitative arguments.
The deficiencies related to Federal Law imply a reduced
operational posture that increases the likelihood of system compromise. Given
the worldwide exposure of USPTO systems through the Internet, an instance
of disclosure or corruption of confidential US intellectual property would
result in substantial losses. Each patent and trademark application carries
a market value. Particularly in the case of patents, disclosure of patent
status (e.g. progress towards approval) could affect equity positions of
the relevant company and competitors. Corruption of patent content could
result in application rejection and an opportunity for inappropriate approval
of a competing application. Any one instance of security breach could imply
breach of the more than 300,000 applications received annually resulting
in market impact and costs to restore confidence. USPTO does not have reliable
estimates on security breach probability, market impact, or cost to restore
confidence. However, unavailability of system access for examiners implies
a $7 million per day recovery expense for the USPTO. Assuming a 30 percent
impact to productivity, responding to a major security incident would cost
$2.1 million per day in revenue alone. It takes only two days of impact
per year to quantitatively justify the Security Program initiatives. However,
other costs are likely to be an order of magnitude larger, creating a compelling
Proof of Concept:
Investments risks are mitigated with a proof of concept. The
proof of concept provides:
supporting planned value
identification of implementation risks
quality based on lessons learned
With appropriate exceptions, the Security Program will leverage
managed phases in implementation to better assure return on investment for
The USPTO is approaching IT Security in layers. For example,
the Office is Certifying and Accrediting its perimeter infrastructure as
a prerequisite to internal business systems. This layered approach enables
the USPTO to prove its approach in limited and "interest bearing" areas to
reduce overall risk and subsequent effort. Internal business systems will
inherit the security posture of the perimeter system facilitating the business
system accreditation. In this sense, each effort is staged in consideration
of proof of concept objectives.
Certification and Accreditation
USPTO Automated Information Systems
The measure of success for C&Amp;A is the
ability to plan work to complete an accreditation effort on a business
system and therefore enable accreditation to become a part of the system
lifecycle. This Security Program includes elements of organizational
change and infrastructure definition to facilitate business application
accreditation by January 2003. Therefore, the C&Amp;A Proof of Concept
will be the May 2003 accreditation of the USPTO Financial Support System. This
business system began formal C&Amp;A tasks in January 2003. Collected
metrics will include qualification of accreditation status and level
of effort to accomplish accreditation. Lessons learned from this initial
business system accreditation will be leveraged for subsequent systems.
Compliance testing consists of periodic internal
inspections, independent audits, and ST&E programs. Independent
audits have been conducted previously at USPTO and are well-understood efforts
that preclude the need for a dedicated proof of concept. Internal inspections
and ST&E programs will be prototyped via the Certification & Accreditation
work stream. Therefore, no dedicated Proof of Concept is planned in support
of compliance testing.
The NIST Self-Assessment is also a modest budget element, however, in
this case a proof of concept
is warranted. If not managed, the self-assessments
are likely to adversely impact the system teams responsible for solution
development. Managing the right questions to the right roles greatly facilitates
the quality and efficiency by which these assessments are accomplished. The
objective metric in the NIST questionnaire proof
is total effort to complete. The proof of concept will establish a baseline
for subsequent efforts and will be complete in May 2003.
The Infrastructure Protection includes three system efforts: Host-based
Intrusion Detection System, Trilateral Network, and Firewall consolidation. In
accordance with existing USPTO Lifecycle Management (LCM) procedures, quality
assurance and operational validation will occur. Since the LCM process
is demonstrably mature, the USPTO Security Program Manager will defer proof
of concept objectives to it.
Operations and Maintenance
The operations and maintenance methods of the Security Program
are well understood and do not require a proof of concept to validate. Cost
and schedule efficiency would be reliably realized without a pilot effort.
IT Security Training
Training represents a critical enabler of other elements
of the Security Program, C&Amp;A in particular. The ability to effectively
communicate methods and procedures to day-to-day practitioners enables security
by design versus security by inspection. Creative methods of training delivery
will be employed to overcome the lack of time and preponderance of information
burdening USPTO staff. These methods will be evaluated in a proof of concept
for efficiency of effort, attendance, information retention, and student
positive perception. The proof of concept will occur upon initial course
development in March 2003.
1000 (NIACAP) has been selected by Department of Commerce until such time
as NIST 800-37 achieves appropriate agency adoption.