NIST SP 800-137

A federal official, speaking at the Splunk>Live! conference in Washington, described how he used sophisticated continuous monitoring software to protect his agency following the highly publicized breach of RSA’s SecurID system in March 2011.

Each SecurID token generates a pseudo-random code every 30 seconds which, along with a User Name and PIN, are used to authenticate logins to numerous federal and private networks.  The apparently successful Advanced Persistent Threat (APT) attack may have compromised the security of the token codes, leaving systems at increased risk of attacks using SecureID codes with various random/guessed sets of user names and PINs. Since the system in question was extensively used by authorized personnel around the world, it was not practical to cut off all service or connections from selected geographic areas.

(PR NewsChannel) / May 24, 2011 / WASHINGTON / Today at the semi-annual Government Technology Research Alliance Council Meeting federal CXO’s discussed top priorities for cloud computing security. 

The federal “Cloud First” initiative calls for each agency to move three services to the Cloud by mid 2012, creating a need to develop cloud security/privacy technologies and strategies for use in the government.  Research conducted by market research firm, Input, states that federal cyber security spending will rise from $8B in 2010 to $12B in 2015.

A presentation by DOE’s Office of Cyber Security discusses how to use the FedRAMP program for cloud computing.  In the slide show, DOE explained that FedRAMP  “provides a standard approach to Assessing and Authorizing cloud computing services and products” and allows “joint authorizations and continuous monitoring services for Government and Commercial cloud computing systems.”

The result is an “‘approve once, and use often’ common security risk model that can be leveraged across the Federal Government.”

The presentation also explains the two key interactions between agencies and FedRAMP: 1) Sponsoring a multi-agency cloud provider; and 2) Leveraging a FedRAMP authorized system.

Editor’s Note:  The following article from Infowar Monitor reports that,

the State Department with being the only U.S. government agency that has achieved near-real-time situational awareness by employing what the Department calls “continuous monitoring.” It enables cyber defenders to minimize their vulnerability by quickly protecting their systems when a new threat or vulnerability is discovered. State Department managers update their threat assessments on a daily basis, not monthly or quarterly like most agencies, and can quickly tell when a computer network has not received a needed software patch.

State Department Goes on Cyber Offensive

Source: Richard Weitz, Second Line of Defense

The Federal Aviation Administration, in their comments on the Initial Public Draft of SP 800-137, recommended that NIST add

more implementation-specific text. There’s a lot of general text on why continuous monitoring is good, and high level guidance, but could be more implementation guidance or examples of implementation alternatives.

The FAA’s complete comments are attached below.

FAA.SP_800-137comments