A government shutdown that lasts more than a few days could test the ability of federal agencies to protect their information systems against security threats.
Several agencies, over the past few days, have released contingency plans showing that they will have to heavily scale down their IT teams to maintain, manage and protect IT infrastructure during a shutdown.
The U.S. Department of Veterans Affairs , for instance, said it will furlough more than 40%, or 3,267, of its 8,026 IT employees in the event of an appropriations lapse. Those remaining will be responsible for functions such as network maintenance and protection, information security and for keeping the data center and enterprise infrastructure running.
In some cases, the shutdown will leave barely a skeletal staff in place to run legally "excepted" activities.
The Federal Trade Commission exempted a total of six employees from taking a forced furlough. The six will be responsible for ensuring the integrity and availability of the agency's IT infrastructure to other exempt employees at the agency. The six individuals will also be responsible for other tasks, including direct support of the agency's network and telecommunication services, operating the FTC's data center, rotating backup media for offsite store and provide on-site database administration support, the FTC said in its contingency plans.
The Social Security Administration exempted 10%, or 310 of its 3,187 IT employees, for infrastructure and program support purposes. The U.S. Department of Housing and Urban Development asked all but 349 of its 8,709 administrative and management staff to go on furlough. Among those exempted from the furlough are 13 IT employees out of 244 in the agency CIO's office. The 13 will be responsible for keeping critical systems running and protecting them against security threats.
Most other federal agencies are expected to have a similar handful of IT security staff and other essential personnel to run infrastructure operations.
"I believe that most CIOs will have their security and network analysts deemed 'essential,' and they will be on a heightened [state] of awareness," said Karen Evans, former de facto federal CIO during the George W. Bush administration.
Many IT services will need to be available through a shutdown so most IT staff will also be deemed essential, she noted. "But, the short of it is, because of all the services online and how government accesses these services, there are going to be risks," associated with a prolonged shutdown, she said.
Eugene Spafford, executive director of the Center for Education and Research in Information Assurance and Security at Purdue University said the contingency plans that federal agencies have set up should be adequate for a few days but not for a long stretch.
Even with systems shut down, functions like patching and installing key maintenance upgrades are important and could pose a challenge for skeletal teams that have been assembled to manage IT systems during a shutdown, he said.
If the shutdown were to persist through the second Tuesday of October for instance, many agencies could find themselves scrambling to install Microsoft's monthly security updates, Spafford said.
Mike Brown, vice president and general manager at security firm RSA's global public sector unit, noted that security risks to federal agencies overall should not increase dramatically as a result of the shutdown. However, the potential for agencies to make mistakes increases during times of reduced staffing.
"I would expect that most of the infrastructure would be maintained by personnel who have been designated as essential, and that planning has taken place to ensure security remains a priority," Brown said. "However, any time there is an event like this, there is the potential for mistakes to take place," Brown said. "Not only will the impact of nonessential personnel weigh on an organization, but additional issues could arise based on the overall status of personnel and priorities."
A Sept. 16 directive issued by the White House Office of Management and Budget requires federal agencies to wind down all IT activities other than "excepted" activities, including those that are essential to safety and protection of property, in the event of a government shutdown.
The directive leaves it up to agency heads to determine what systems can be kept running, but it makes clear that the only systems allowed to run will be those that directly support an exempted activity. If that system happens to be interconnected with other system, the agency has to figure out a way to keep it running without affecting the safety and security of the other systems, the directive noted.
"Given that websites represent the front-end of numerous back-end processing systems, agencies must determine whether the entire website can be shut down or components of the website will be shut down," to ensure compliance with procedures during an appropriations lapse, the OMB memo noted.
This article, Shutdown could test IT security at federal agencies, was originally published at Computerworld.com.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is [email protected].
Read more about government it in Computerworld's Government IT Topic Center.