Volume 3, No. 3
Published by MIDSD/NCC
May/June 1980
WCC TO BE TRANSFERRED TO RTF
Maureen Johnson
The WCC computer facility and support functions will be transferred to Research Triangle
Park, N.C., in FY1981. The move includes all user processing and entails the transfer of
user programs, data, and any associated procedural modifications. The Waterside Mall
Distribution Center and a User Support function will be retained at EPA headquarters in
Washington, D.C.
To reduce user impact, the MVS operating system and supported software will be installed
as nearly like the current system at WCC as possible. The new hardware configuration is
built around an IBM 370/168-MP with six megs of memory for each processor. Disk capacity
will increase by 20 percent over current WCC capacity. A mass storage device with 102.2
billion bytes of capacity with appropriate disk staging will be installed later in the
year.
Detailed plans are in development for each phase of the transfer. User meetings,
conference calls, memos, and discussions with various user groups will provide information
and the opportunity to exchange ideas on how the data center can best meet user needs in
the future.
FADPUG SPONSORS
SECURITY CONFERENCE
Peg Hall
Many users of ADP in the Federal
Government belong to an OMB-sponsored
organization called the Federal ADP Users
Group. It is better known by its acronym,
FADPUG. One of FADPUG's suborganizations,
the Special Interest Group on Security and
Auditing, recently sponsored a 2-day
conference on computer security. The
conference was held at the National Bureau
of Standards in Gaithersburg, Maryland.
Computer security is currently such a
high-interest item that the conference
attracted over 500 people. Not only were
most Federal agencies represented, but
also the Canadian Government, several
universities, and a number of businesses.
Two of the conference's speakers have
national reputations in the security area..
Bob Courtney of IBM said that ADP's number
one security problem is carelessness and
ignorance, not fire, flood, embezzlement,
or bombs. Dr. Carl Hammer, Director of
Computer Sciences at Sperry Univac, spoke
on the need to take a total system
approach to data security. He emphasized
that data can be altered, destroyed, or
disclosed at any point from input form
completion to report distribution. In
addition, speakers from OMB, GSA, NBS, and
0PM discussed their agencies' roles in
implementing OMB's A-71 Security Circular.
Bill Allen, from MIDSD's Research Triangle
Park office, was a member of a panel on
contingency planning. Bill represented
organizations with large-scale computers
and service bureau operations. He
described the National Computer Center
(NCC), NCC management's attempts to
involve their user community in
contingency planning, and their current
negotiations for backup services.
(Continued on page 3)
-------�
WCC HIGHLIGHTS
Maureen Johnson
NCC HIGHLIGHTS
Tom Rogers
If April system stability was outstanding
at WCC with only 14 stops, 7 on the IBM
168 and 7 on the IBM 3032. There were 12
WYLBUR stops, 6 JES stops, and no TSO
failures.
The Value-Added Network (VAN) is
installed and available for user access.
The VAN will eventually replace most of
the low-speed WATS lines used for
interactive terminal access. The WCC
Telecommunications staff is assisting
users in learning new sign-on procedures
and in reporting user problems with the
new VAN.
Beg Your Pardon
The staff of EPA Data Talk regret that
photographic credit was omitted from the
March/April issue. The two photographs
appearing in that issue were taken by Joe
Wilson (MIDSD/NCC).
EPA Data Talk is published bimonthly by the
EPA Management Information and Data Systems
Division, National Computer Center, for EPA
personnel and contractors interested in
general ADP topics.
Comments, suggestions, and news items
should be addressed to:
William G. Allen
Editor, EPA Data Talk
National Computer Center
Research Triangle Park
North Carolina 27711
To ensure that our distribution list is up
to date, please indicate any required
changes on the mailing label attached to
this issue and mail it to the above
address.
V Stability on the NCC computer system
continues high. For the last quarter
(January-March), stability was the best
since the second quarter of FY1979- The
NCC is also continuing to set new records
for the amount of work processed. Several
new daily records were established, and
April was the highest month on record for
generated SUP's (Standard Units of
Processing). With so much work being
processed, a degradation in response time
and/or turnaround time may be encountered.
^[ The Central Processing System
Expansion (CPSE) for the NCC has been
installed in the new computer facility. A
new level of Sperry Univac operating
system software is being generated and
tested for use on the hardware. Plans
currently call for the initial conversion
of user production work to the CPSE
(SPERRY UNIVAC 1100/82 System) during
August of this year. Users will be
informed of status and plans through
SIGNON, EPA Data Talk, memorandums, and
briefings.
^| The combined data center graphics
surveys have been returned. An analysis
of the results is currently under way.
The end result, a graphics plan, should be
forthcoming during the summer.
^| Sperry Univac has recently unbundled.
This means that almost all items supplied
by Sperry Univac become cost items to the
data center. Direct user cost items, as a
result of the contractual arrangement,
include Sperry Univac documentation and
training. User memorandums will detail
the procedures to follow for requesting
documentation manuals.
The deadline for contributions to the
July/August issue of EPA Data Talk is June
27. Contributions received after that
date will be published at the discretion
of the editor.
-------�
SOFTWARE EXCHANGE
HELPS PARTICIPANTS
Margie Edwards
If you have a PDP11/70 or a PDP11/45, the
Minicomputer Software Exchange (MXS)
provides an excellent opportunity to save
development costs and effort.
In 1976, EPA began standardizing the
minicomputers used in all regional branch
offices and laboratories. In 1979, the
standardization of software was a smoother
transition with the establishment of the
Minicomputer Software Exchange. The
Exchange Center is operating at CSSD,
Cincinnati, Ohio, with GSA Contractor
support from the University of Cincinnati
Computing Center.
The purpose of the Exchange is to:
• Coordinate software development
efforts by providing a focal point.
• Store software and documentation of
general need by at least three
sites.
• Distribute software, documentation,
and software information.
• Assist software
developers.
users
and
• Identify, collect, and distribute
information.
• Develop and maintain a data element
dictionary for software within the
Exchange.
The benefits of participating in the
Exchange are very attractive in savings of
both cost and time. For example, joining
the Exchange can reduce application
software duplication, overall software
development cost, and software development
time.
Support from the Minicomputer Software
Exchange varies, depending on how complex
the software is and whether the supportee
is a user or developer.
The Exchange now has an inventory of 61
packages. Computerized records are
maintained in the MSX inventory status and
include such details as name of submitter,
language, and documentation available; a
distribution status of when and where each
is distributed; and directory. The most
active categories are (1) system software,
(2) national data entry interfaces, and
(3) graphics. The bulk of MSX inventory
can be grouped under the following
headings:
• PDP11 Operating & Communications
Software
• National System Interfaces (Data
Entry Systems with Validation and
Reformatting for Submission to
National Systems)
• Tracking and Management Systems
• Statistics and Graphics
A detailed list of MSX inventory, as well
as guidelines for participating in MSX and
for standardizing documentation, is
available by contacting (FTS) 684-7902 or
your PDP11 ADP System Manager.
(Continued from page 1)
At the end of his 20-minute talk, Bill
answered a number of questions, some of
which should interest Data Talk readers:
Q.
A.
Q.
A.
Q.
A.
Q.
A.
How long an outage before you switch
to the backup site?
Two weeks.
What percentage of your workload will
you attempt to run?
Twenty percent.
What types of processing?
Production batch only.
development work and no
processing.
No
demand
Q.
A.
What will be required of your users?
They will have to define the critical
elements of their critical systems
and prepare run books suitable for
use by NCC operations staff who will
be located at the backup site.
Do you plan to test the plan?
Yes, I am expecting a call at 2:00
a.m. some morning.
OOOOD
-------�
ICURITY
Marguerite L. Hall, Computer Specialist
This is the third in a series of four articles on ADP security. The first article
reviewed the peculiarities of ADP that make it inherently insecure. The second article
covered ADP security's key concepts and terminology. This article traces the history of
ADP security in the Federal Government from the early 1960's through the issuance of OMB
Circular A-71, Transmittal Memorandum No. 1. The fourth article covers EPA's recently
developed agencyvide security program and our plans for a staged implementation.
Historical Overview
Almost 2 years ago, in July 1978, the Office of Management and Budget (OMB) issued its
magnum opus on ADP security: OMB Circular A-71, Transmittal Memorandum No. 1. The
memorandum, its origins, intent, and content are the subject of this article.
ADP security was pretty much overlooked in the Federal Government during those halcyon
pre-COBOL days of the 1950's. Data centers were built in glass boxes; big signs showed
the way; authorization and authentication, uninterrupted power supply (UPS), and
encryption were still out in the cold. However, early in the sixties data processors'
security awareness was raised a bit because of a dozen or so well-publicized floods and
fires and several well-placed bombs and grenades. Management responded. Data centers
were relegated to dark dungeons in building basements and armed guards were stationed at
every entrance. The computer world sat back satisfied.
Then came the mid-to-late sixties with its new movements, changing public policy, and -
surprise of surprises - finger pointing at ADP. It started, oddly enough, with the
Freedom of Information movement. Historically, requestors of information from the
government had had to come, hat in hand, showing that they had good reasons for their
requests: professors searching out obscure memos and minutes, lawyers seeking facts and
figures, geologists pursuing sinks and rifts, actuaries delving into demographic
distributions. In the government's judgment, all good causes.
The Freedom of Information Act, better known by its abbreviation, FOIA, reversed the rules
in 1966. It became, and still is, the government's responsibility to prove why a request
should be denied. You can write to any executive agency and ask for a copy of any
definable record and, with few exceptions, it's yours. And the answer is yours quite
quickly because of stringent time tables. In fact, delays and denials can result in
disciplinary action for any government official who arbitrarily or capriciously withholds
the data.
About the same time that the FOIA legislation was drafted, the prestigious Social Science
Research Council recommended the creation of a national data center. On the surface, it
made sense: economies of scale, shared data resources, and nationwide availability.
However, the proposal raised considerable furor. The Orwellian specter of computerized
invasions of personal information on every single citizen inflamed liberals and
conservatives alike. Even a few data processors professed shock and chagrin.
And right on the heels of this proposal came a congressional investigation into unfair
credit practices. The investigation revealed the extent to which personal information was
being swapped or sold, used and abused, modified and misinterpreted.
This investigation was followed by another series of congressional disclosures on the
extent of information gathering by the government: military intelligence agents
collecting and computerizing dossiers on civilians; the FBI wiretapping government
officials and the press, while government officials and the press were taping each other's
-------�
5
private conversations - with only an occasional 18-minute gap. In other words, a wealth
of information was being captured legitimately and illegitimately, much of which was
conveniently packaged in machine-readable form and widely distributed for purposes not
originally envisioned. Decidedly, not nice.
Obviously, the climate was ripe for righteous reaction. In Washington it came in the form
of the Privacy Act of 1974. Although the Act applied only to Federal executive agencies,
its principles were widely accepted (although not necessarily implemented) by state and
local governments, educational institutions, and industry.
Although "freedom of information" and "privacy" are seemingly contradictory terms, the
security issue is really the same - confidentiality. On the one hand, the POIA, as it was
amended in 1974, spelled out nine exemptions to automatic release of information. On the
other hand, the Privacy Act specified that agencies must "establish appropriate
administrative, technical, and physical safeguards to insure the security and
confidentiality of records and to protect against any anticipated threats or hazards to
their security or integrity...." If there were information that the public didn't have a
"right" to access, if there were personal information that had to be safeguarded, if both
kinds of information were in automated information systems, then someone had better start
thinking about unauthorized access and disclosure. That realization was the first step
toward A-71, T.M. No. 1.
By the mid-seventies ADP security had become a high-interest issue. The National Bureau
of Standards (NBS) had held several security conferences. HEW had worried in public about
the vulnerability of its multi-billion-dollar welfare system. The National Academy of
Sciences had sponsored a project on computer data banks in a free society. There was
enough interest to make publishing pay. James Martin wrote a book titled "Security,
Accuracy, and Privacy in Computer Systems." Donn Parker at the Stanford Research
Institute published a book on crime. Even the New Yorker ran a three-article series on
white-collar computer capers.
The General Accounting Office (GAO) took notice too. The GAO, as you may recall from your
high school civics class, is Congress's creation charged with auditing, accounting, and
investigating the activities of the executive branch. ADP, as you can imagine, has over
the years provided the GAO with a rich array of problems to ponder. During 1975 and 1976
GAO looked into three separate areas: data processing facility catastrophes,
computer-assisted crime, and information systems that seemingly made their own decisions -
often wrong.
The GAO report titled "Managers Need to Provide Better Protection for Federal Automatic
Data Processing Facilities" was filled with sad, sad stories of data center disasters -
all at Federal or federally sponsored facilities. This report came complete with pictures
- a rare treat, indeed, for a GAO report. There were pictures of the gutted Pentagon data
center, a very wet postal center in Wilkes-Barre-on-the-Susquehanna, a bombed-out Army
Mathematics Research Center at the University of Wisconsin, and a collapsed roof and
mangled beams at the St. Louis Military Personnel Records Center. Messy, very messy.
The second report, "Improvements Needed in Managing Automated Decisionmaking by Computers
Throughout the Federal Government," contained stories programmers know all too well.
There were unedited data, outdated data, damaged data, and destroyed data. There were
misunderstandings between customers and designers, misunderstandings between designers and
developers, misunderstandings between developers and implementers, and misunderstandings
between implementers and users. Business as usual in ADP.
For want of a binary bit the Army hauled radioactive materials around the country in
unshielded trucks. The Navy, relying on an uncleared accumulator, wasted ten million
dollars on unnecessary repairs. Tiny, internal table troubles resulted in an overpayment
of $700,000 in a Veterans Administration program. A buried bug brought about several
million dollars of unneeded cross-country material transport before it was exterminated.
-------�
6
The GAO also went searching for Federal computer crime. They found it. In a report
titled "Computer-Related Crimes in Federal Programs," the GAO detailed fraudulent payments
for goods, real and imaginary. They discovered payments for services neither wanted nor
delivered. They found phony welfare checks and surreptitious step increases. They
uncovered stolen timesharing services, stolen data and stolen software. They also
suggested, as have many security analysts, that most computer crime goes undetected.
Often the little that gets detected goes unreported. And of the little that gets reported
even less gets successfully prosecuted.
The underlying theme of the three reports was MANAGEMENT NEEDS TO GET INVOLVED. Managers
need to understand the magnitude of the problem. Managers need to allocate resources.
Managers need to provide reasonable protection of their ADP resources. Managers need to
evaluate the effectiveness and efficiency of their controls. Thus a giant step was made
on the way to A-71, T.M. No. 1.
The GAO reports prompted Senator Ribicoff, chairman of the Senate Committee on Government
Operations, to order his staff to prepare a study on computer crime in the Federal
Government. The study, released in 1977, contained a collection of documents and
information on "questionable practices" in Federal ADP programs. For example, the study
looked into a programmer-training project at Leavenworth Penitentiary. Inmates were
allowed to develop sensitive software for both the IRS and the Department of Agriculture.
That included tax returns and commodity projections. To make matters worse, development
took place on a governmentwide timesharing service. Other agency software and data were
there wide open for abuse.
The study also reported on the United States of America v. Bertram Seidlitz. This case
may be familiar to many in EPA. Mr. Seidlitz had been an employee of a Washington-based
timesharing firm before he resigned to start a software business of his own. He was
convicted of wire fraud after he was discovered trying to get copies of WYLBUR code via a
terminal and phone lines in his Virginia home. The crime was uncovered by an alert
operator who recognized Seidlitz's initials in a SHOW LINES command.
As a result of its investigation, the Committee recommended that OMB should take the lead
in improving security by:
• Directing the executive agencies to implement the GAO recommendations.
• Coordinating activities of the General Services Administration (GSA), the
National Bureau of Standards (NBS), and the Office of Personnel Management
(0PM).
• Having NBS, which has responsibility for providing governmentwide standards and
guidelines, develop technical security standards.
• Having GSA, the Government's landlord, housekeeper, purchasing agent, and record
retainer, develop physical security standards.
• Having 0PM, formerly the Civil Service, issue personnel security policies.
OMB's response to the congressional directive eventually emerged as Transmittal Memorandum
No. 1 to Circular A-71. T.M. No. 1 assigns ADP security responsibility to the head of
each executive branch agency. Agency heads are to ensure that reasonable measures are
taken to protect their ADP assets. That should sound familiar to you by now. The
memorandum also directs that comprehensive security programs be developed and implemented
in each agency. It spells out the scope for these programs. The scope includes personnel
practices, ADP contracts, data processing facilities, and application systems. It covers
all application systems which are sensitive because they process personal data or
confidential business information or because they control assets. It covers application
systems which are critical to agency functions and missions. It requires management
-------�
7
control processes, certification that security specifications have been met, risk
analysis, official record retention, and periodic evaluation. It's broad, it's thorough,
and it makes sense.
In addition, T.M. No. 1 has given some further responsibilities to GSA, NBS, and 0PM. GSA
is to issue policies and regulations for physical security of computer rooms and to assure
that procurements have received agency security certification. NBS is to develop
standards and guidelines for security and procedures for implementing them and for
evaluating their effectiveness.
0PM has responded to its T.M. No. 1 directive by issuing both a formal change to Chapter
732 of the "Federal Personnel Management Manual" and Bulletin No. 732-2. The manual now
directs all agencies to classify their ADP positions by the degree of sensitivity. EPA
has done this. If you're a manager of ADP you may recall a letter from the Security and
Inspection Division requesting the classification of all ADP-related jobs into critically
sensitive, sensitive, and nonsensitive categories. EPA must also perform appropriate
background checks on candidates for these sensitive positions. If you're the manager of a
major system handling sensitive information, you'll be subject to a full field
investigation. If you're a programmer on a less sensitive system, a national agency check
may suffice. Bulletin No. 732-2 clarifies the authority of the executive branch to
investigate and grant or deny clearances to employees of contractors and proposed
contractors.
Within 6 months of issuance of the A-71 directive, OMB asked each of the agencies how well
they were doing with their programs. About that time also, GAO asked each agency about
the same question. It was a moment of truth. Most agencies realized they needed some
instant expertise. They tried training in-house staff, papering personnel boards with
vacancy announcements, hiring consultants, and flooding the streets with RFP's for risk
analyses, vulnerability studies, security surveys, threat assessments, and exposure
measurements.
By now, somehow, with few exceptions most agencies have something they are calling a
security program. Some programs begin and end with changing a password or two once or
twice a year. Other programs focus on carefully composed technical teams of thousands
running risk assessments. Still others have concentrated on the preparation of elaborate
plans for contingency operation, on installation of Halon fire suppression systems, on key
cards, on UPS systems, or on maintaining high employee morale.
Not that all that isn't needed, in whole or in part. But what most programs seem to lack
is both breadth and balance. Security programs need clearly defined policy and scope.
They need assigned responsibilities. They need carefully designed standards and realistic
administrative procedures. Programs need to promote awareness and provide for periodic
evaluation.
And that's what we're doing in EPA. We are taking a well-planned methodical approach
which should result in a realistic, well-rounded program. Our security program, when
fully operational, will include standards for the security of all our data processing
facilities, standards for security during development and operation of our sensitive or
critical application systems, and standards for our sensitive ADP procurements. The
program will also have a documented methodology for evaluating how well we are meeting
these standards. Our plans and progress to date in implementing our program are the
subject of the last article in this series.
QOQOD
-------�
8
UNITED STATES
ENVIRONMENTAL PROTECTION AGENCY
National Computer Center
Research Triangle Park
North Carolina 27711
OFFICIAL BUSINESS
PENALTY FOR PRIVATE USE f 3OO
AN IOUAL OPPONTUNITT EMPLOYE*
POSTAGE AND FEES PAID
U S ENVIRONMENTAL
PROTECTION AGENCY
CPA-339
-------� |