NIST SP 800-137

From: Nextgov

By Aliya Sternstein

The Pentagon is draping its networks with technology that models in 3-D weaknesses lurking inside, to show managers where threats are most likely to enter, according to a contractor hired for the project.

The patented Passive Vulnerability Scanner is one of several new surveillance systems that the Defense Information Systems Agency, the Pentagon’s information technology support arm, is delivering to military services and select intelligence agencies under a contract announced this week. The seven-year project valued at $39.8 million transitioned out of test mode in late 2011 and soon will be available with full functionality, according to developer Tenable Network Security.

From: EMC Public Sector Blog

by Shannon Kellogg

It’s hard to believe that it’s been nearly 10 years since the Federal Information Security and Management Act (FISMA) was enacted. I know that I am growing older but it seems like only yesterday that staff working for former U.S. Representative Tom Davis (the lead sponsor of FISMA legislation in 2002) were in the throes of drafting that legislation. The final product was included in the E-Government Act of 2002 and after becoming law, FISMA provided a sound framework, baseline standards and drove additional accountability within federal agencies for implementing information security practices.

From: FederalNewsRadio.com 1500AM

Congress will be debating several cybersecurity bills this week. The Congressional Budget Office has put a price tag on two of them.

The Promoting and Enhancing Cybersecurity and Information Sharing Effectiveness Act — the Precise Act of 2012 — would authorize money for Homeland Security. CBO scored the bill at $28 million over five years.

More expensive was the Federal Information Security Amendments Act of 2012. This rewrite of FISMA carried a 10-year price tag of $710 million. That was because it would impose new cyber procedures across the government, mainly continuous network monitoring.

From: Executive.Gov

House committees approved two cybersecurity bills on Wednesday and they are set to hit the House floor for consideration next week, the Federal Times reports.

The Oversight Committee approved the Federal Information Security Amendments Act, which would require agencies to practice continuous monitoring of their security networks.

The bill would also require agencies to appoint either a chief information security officer or a senior official to oversee information security programs and compliance.

The Homeland Security Committee approved a version of the Promoting and Enhancing Cybersecurity and Information Sharing Act, which would allow the Department of Homeland Security to share information with the private sector.

From: GCN

By (ISC)2 Government Advisory Board Executive Writers Bureau

“Continuous monitoring” is a growing buzzword in the federal IT security community, and it is a central focus of the Federal Information Security Management Act reporting requirements for federal chief information security officers this year.

To some, continuous monitoring is the long-awaited alternative to compliance audits and the mounds of paperwork that are typically used to satisfy FISMA reporting requirements. To others, it offers great promise in that automated tools can provide much of the information needed to make informed risk decisions and provide the documentation that will meet audit requirements.

From: ExecutiveGov

Utility companies managing the nation’s critical infrastructure should regularly check for security gaps within their delivery systems, according to the White House’s cybersecurity head.

White House Cybersecurity Coordinator Howard Schmidt told attendees of the McAfee public sector conference Wednesday that energy sector must perform active risk management, continuous monitoring and simulations to determine security status, Nextgov reports.

The White House and the departments of Energy and Homeland Security are set to test a voluntary model with power companies that would assess security postures and identify where companies should focus their cybersecurity efforts this month.

Posted by Chris Poulin in Compliance, Federal, Security Intelligence, SIEM

Last week I participated in a panel on Continuous Monitoring at FOSE. Joining me were Mark Crouter from MITRE as the moderator, John “Rick” Walsh, chief of technology and business processes in the Cybersecurity Directorate of the Army’s Office of the CIO, and Angela Orebaugh, Fellow and Senior Associate at Booz Allen Hamilton. Auspicious company indeed.

Editor’s Note:  The attached slide deck discussing the US Census Bureau’s transition from a Certification & Accreditation Process into Continuous Monitoring (CM) was presented at the 25th Annual Conference of the Federal Information Systems Security Educators’ Association. The presentation emphasized that:

While Continuous Monitoring is typically characterized by a focus on technology and security, it is the supporting workforce that enables us to transform our approach and deliver enhanced program capabilities

Workforce_Management_in_a_Continuous_Monitoring_Paradigm_fissea_2012-conference_presentations_fissea-conference-2012_noble-and-neeley

Editor’s Note: The discussion of cloud computing performance metrics at FOSE echoes CRE’s statement before the Internet Security and Privacy Advisory Board on the need to develop such metrics.

From: GCN

What cloud computing needs to take the next step

By Kathleen Hickey

The General Services Administration and the National Institute of Standards and Technology have developed compliance standards for agency acquisition of cloud computing technology, but they still need to develop performance metrics and interpret standards for agency use of cloud computing technology, experts said at the FOSE 2012 conference held in Washington.

From: Federal Times

By NICOLE BLAKE JOHNSON

Agencies have been slow to invest in tools that continuously monitor federal systems and networks for cyber intrusions, 43,889 of which agencies reported to the Department of Homeland Security last fiscal year.

A little more than half of the government’s information systems — 56 percent — were monitored in near real time to detect software flaws, required patches, devices operating on the network and other key security metrics, according to 2010 data in a Federal Information Security Management Act (FISMA) report to Congress. Agencies increased that number to 78 percent last fiscal year, but continuous monitoring capabilities are still lagging at some agencies, including the Small Business Administration and Commerce Department.