NIST SP 800-137

From: ReadWrite

Two years ago, the U.S. Dept. of Homeland Security firmly decided (again) that a policy of responding to vulnerabilities in the nation’s cybersecurity when they happen, is insufficient. The National Institute of Standards and Technology set about on a plan to model a 21st century perpetual vulnerability mitigation scheme – a continuous monitoring (CM) framework that attempts to model security procedures not in terms of crisis and response, but instead as a perpetual cycle of monitoring and engagement that stays basically the same whether or not there’s a crisis.

From: NIST

Community Members,

I am pleased to announce the posting of three NIST Interagency Reports (NISTIRs) pertaining to continuous monitoring.  These documents contain information that was presented during a series of conference calls late last year and at the 7th Annual IT Security Automation Conference in November, 2011.

From: GovInfoSecurity.com

Highly Regarded CISO New National Cybersecurity Division Director

By Eric Chabrow

One of the most respected chief information security officers in the federal government, the State Department’s John Streufert, is taking his vast knowledge of IT security and continuous monitoring to the Department of Homeland Security, as director of the National Cybersecurity Division.

At DHS, Streufert will continue to build an effective national cyberspace response system and implement a cyber-risk management program for the protection of critical infrastructure, such as dams and transportation, Mark Weatherford, Homeland Security deputy undersecretary for cybersecurity, said Friday in a blog. Streufert also will work to maintain and strengthen DHS’s collaborations with public, private and international organizations to secure the nation’s critical cyber infrastructure.

From: NextGov

By Aliya Sternstein

A critical part of a fast-track strategy that allows agencies to digitally borrow each other’s cloud security guarantees will not be available when the operation gets under way this summer, federal officials told Nextgov.

The mantra of the new effort, called the Federal Risk and Authorization Management Program, or FedRAMP, is “Do once; use many times,” meaning a department can go through the arguably arduous process of authorizing a Web-based service and then many other departments can sponge off that work to deploy the tool more quickly. The General Services Administration, which manages the program, plans for the certifications to be accessible through a central online clearinghouse.

Attached below is a short document from the  Government Business Council providing an overview of cloud computing and continuous monitoring.

GovBusCouncil.BriefingPaper-Cloud Computing

From: GCN

By William Jackson

The National Institute of Standards and Technology is updating guidelines for using the Security Content Automation Protocol (SCAP) for checking and validating security settings on IT systems.

SCAP is a NIST specification for expressing and manipulating security data in standardized ways, including implementing security configuration baselines, verifying patches and known vulnerabilities, continuous monitoring of vulnerabilities and security configuration settings, looking for signs of compromise, and determining the security posture of systems.

Special Publication 800-117, Guide to Adopting and Using the Security Content Automation Protocol Version 1.2, is being revised to provide an overview of its use as well as guidance to vendors for adopting the protocols in their products and services.

Editor’s Note:  The GSA-released security controls package consists of a pdf document, “Federal Risk and Authorization Management Program (FedRAMP) Security Controls” and an Excel spreadsheet, “FedRAMP Security Controls Baseline: Version 1.0”  which have been archived in a single .zip file.  For the convenience of FISMA Focus readers, attached below is the .zip file and the uncompressed .pdf and .xlsx files.

From: GSA

FedRAMP security controls help form the basis of the FedRAMP program. Based off of the  established government-wide cybersecurity standard – NIST SP800-53 controls – this control baseline informs the FedRAMP process.

From: SANS News Bites in response to news reports that most agencies will not meet the deadline for FISMA continuous monitoring requirements.

(Paller): It’s never been about the money.  Ever since both Senate and House hearings and White House leadership have called upon agencies to replace C&A reporting with continuous monitoring and mitigation, two barriers have consistently blocked broad adoption: (1) the contractors who are earning $350 million every year writing out-of-date and unread security reports for certification and accreditation updates, and who don’t want to give up that money even though they know they are wasting federal funds, and (2) the IGs who give the contractors cover because they don’t know how to, and have not tried to measure continuous monitoring and mitigation systems.  A phone call I had with the IG from a major agency this week says that the second barrier is falling across several agencies.  There is more than enough money wasted in C&A report writing to fully fund continuous monitoring and mitigation.

FedRAMP’s continuous monitoring based risk management evolution was among the issues highlighted in GSA’s Office of Citizen Services & Innovative Technologies (OCSIT) 2011 annual report.  The report states that FedRAMP’s benefits include shifting

risk management from annual reporting under FISMA to more robust continuous monitoring by moving towards detecting in real-time and mitigating persistent vulnerabilities and security incidents

The complete GSA OCSIT report is attached below.

FY2011OCSITAnnualReport

From: HackingTheUniverse

It is a mantra of quality improvement methodology that you can’t manage what you don’t measure. Security metrics are the measurements that allow management of information security. As function and requirements change from network and organization to others, so will the requirements and design of security metrics change. But there are some standard and central concepts to build upon.

1. Know your mission – this begins with the basic business missions that drive your organization and moves toward defining the metrics you want to use. Along the way, you will need to consider policies and procedures and how your security protections are built into your network. If you’re lucky, this was considered during the development of the network and some of the metrics were defined early and built into the processes and security controls.