NIST SP 800-137

From: Howard A. Schmidt/The White House Blog

As I was flying back from a cybersecurity conference in San Francisco several weeks ago, I reflected on the wide range of technology and talent we have working to build up our cyber security – and the challenge of knowing which will be most effective when dealing with advanced adversaries, especially in a limited budget environment. Federal Departments and Agencies need to focus their cybersecurity activity on a few of the most effective controls. This is why my office, in coordination with many other Federal cybersecurity experts from DHS, DOD, NIST, and OMB, has identified three priority areas for improvement within Federal cybersecurity:

According to GAO testimony attached below, IT SUPPLY CHAIN: Additional Efforts Needed by National Security-Related Agencies to Address Risks, monitoring is crucial to securing the federal government’s IT supply chain.  GAO explained that at three of the four national security-related agencies studied, “risks highlight the importance of national security-related agencies fully addressing supply chain security by defining measures and implementation procedures for supply chain protection and monitoring compliance with and the effectiveness of these measures.”

Specifically, GAO’s recommendations to Departments of Energy, Justice and Homeland Security inlcude: “develop and implement a monitoring capability to verify compliance with, and assess the effectiveness of, supply chain protection measures.”

From: ExecutiveGov.com

Federal departments and agencies need to focus on three main areas of cybersecurity, the White House’s cyber coordinator said Friday.

Howard Schmidt wrote on the White House blog that agencies should achieve 95 percent utilization of the administration’s priorities regarding federal information systems.

Schmidt’s office, the Office of Management and Budget, the National Institute of Standards and Technology and the departments of Defense and Homeland Security collaborated to identify the priorities.

The first priority is trusted Internet connections, Schmidt wrote.

Agencies should consolidate their external telecommunication connections and develop a baseline set of security capabilities for situational awareness and monitoring.

Continuous monitoring was the focal point of a discussion by a a senior NIST official at a conference hosted by Government Executive magazine. The official emphasized two key points: 1) the importance of good governance, i.e., leadership and management in developing and implementing risk management and mitigation strategies is essential for security; and 2) that security needs to be included in the system’s enterprise architecture.

Specific continuous monitoring issues that were raised at the meeting included how many controls are appropriate and how frequently the controls should be monitored. The issue of control controls was also a prominent discussion topic.  The NIST official suggested that lean budgets could be beneficial for security since they force better decision-making.

Editor’s Note:  The complete GAO report is attached below.

From: Politico

IRS data protections found lacking

By DAVID SALEH RAUF

The IRS has failed to implement key components of its information security program, potentially putting at risk sensitive agency and taxpayer data, according to the federal government’s top watchdog.

A report from the Government Accountability Office released Friday concludes that IRS computer systems used to process financial and taxpayer data are subject to “control weaknesses” that could “jeopardize the confidentiality, integrity and availability of the financial and sensitive taxpayer information processed by IRS’s systems.”

From: NIST

I am pleased to announce that the initial SCAP 1.2 reference implementation beta release and an updated XCCDF reference implementation release has been posted to SourceForge for download.  You can access these releases using the following links:

http://sourceforge.net/projects/scapexec/files/1.2.1_build_26/

http://sourceforge.net/projects/xccdfexec/files/1.2_build_110/ 

The SCAP 1.2 reference implementation is a new project that leverages the XCCDF reference implementation to process SCAP 1.0, 1.1 and 1.2 content.  The XCCDF reference implementation has been significantly updated to support both XCCDF 1.1.4 and 1.2 content.  Please refer to the documentation included in both packages for more information on changes in the releases and operating instructions.

From: GovInfoSecurity.com

A Conversation with Deputy Undersecretary Mark Weatherford

By Eric Chabrow

To get a sense of how Mark Weatherford will help reshape the way the federal government approaches IT security, look at one of his first hires: John Streufert.

In the words of Weatherford, Homeland Security deputy undersecretary for cybersecurity, Streufert is a “superstar” across the federal government, having won praise from IT security practitioners and policymakers as well as members of Congress for implementing a continuous monitoring program and risk scoring system at the State Department as chief information security officer. Weatherford tapped Streufert in January as director of DHS’s National Cybersecurity Division.

OMB’s FY 2011 Report to Congress on FISMA implementation discusses plans for expanding the use of continuous monitoring. As the report explains:

Continuous monitoring will be expanded to include threat monitoring and awareness of operational effectiveness. Departments and agencies will implement continuous monitoring to areas that have a significant threat presence and have been identified as the most critical for the protection of information resources. Insider Threat metrics will be added throughout the corresponding capabilities. Research indicates that the implementation of information security best practice and continuous monitoring can reduce insider threat incidents through a layered defense to include policy and procedures, as well as, information technology.

From: CoreTrace

by PDean

Well is it or is it not? Who cares? Let’s take out the debate about whether or not the new FISMA regulations actually do anything for security practices, and face the reality that we, as government entities (whether directly employed by or contractually attached to a government entity), must fulfill our compliance obligations. Those of us who want to actually secure our environments will not only abide by the compliance mandates, but we will also implement security standards and practices that truly improve security within our appointed domains.

Congressional testimony by the NASA Inspector General, attached below, discusses serious failings in agency security.  Some key failings were directly tied by the IG to shortcomings in the agency’s continuous monitoring program.  

The IG explained that the traditional FISMA approach to security did not reflect an organization’s actual security posture:

However, an agency’s FISMA grade has been found to be unrelated to whether its IT assets are adequately protected from attack. Thus, FISMA has, to a large extent, devolved into an expensive paperwork exercise that fails to accurately measure an organization’s IT security posture.