NIST SP 800-137

A key issue discussed on the second day of the regularly scheduled meeting of the Internet Security and Privacy Advisory Board (ISPAB), an expert advisory body established by Congress to advise NIST, the Secretary of Commerce and OMB, concerned revisions to Circular A-130, Management of Federal Information Resources.  Revisions to Appendix III of  the Circular, Security of Federal Automated Information Resources was the focus of discussions.  The ISPAB received a presentation on possible revisions to A-130 from representatives of a highly experienced ad hoc group convened to provide OMB with guidance on A-130 information security issues.

Dr. Ron Ross, a Fellow at NIST and leader of the FISMA Implementation Project, emphasized the importance of continuous monitoring in discussing the forthcoming NIST SP 800-53, Rev. 4 set of security controls.  Dr. Ross stated that Rev. 4 supports “A New Cyber Defense Vision — Build it right — Continuously Monitor.”  The presentation was provided at a meeting of the Internet Security and Privacy Advisory Board (ISPAB) held on the NIST campus in Gaithersburg, MD.

The presentation described four key aspects of the future of cyber defense:

1. Develop risk-aware mission business processes;

From: Network World

By John Linkous

The University of North Carolina-Charlotte (UNCC) recently disclosed that they have discovered over 350,000 student, staff and faculty records – including Social Security numbers – that have been exposed to public access in multiple systems, in some cases for several years.

NIST has released SP 800-146, Cloud Computing Synopsis and Recommendations.  The document provides guidance on cloud computing that is broadly applicable to a wide range of federal and private clouds.  Thuss, the document has applicability far beyond FedRAMP.

SP 800-146, attached below, states:

Consumers may be subjected to a variety of regulations such as the Sarbanes-Oxley Act (SOX), the Payment Card Industry Data Security Standard (PCI DSS), the Health Information Protection and Accountability Act (HIPAA), the Federal Information Security Management Act (FISMA) of 2002, or the Gramm-Leach-Bliley Act (GLBA). Consumers, who are ultimately responsible for their data processed on provider’s systems, will need to require assurances from providers that they are aiding in compliance of the appropriate regulations.

From: Disaster Recovery Journal

By Patrick Taylor

I have noticed a few challenges in operational efficiencies and financial transaction security that I predict could affect businesses throughout 2012. Those areas — lack of expertise in managing and analyzing Big Data, hackers using social engineering to gain access to sensitive systems and optimized business processes such as procurement using transaction analysis — can be leveraged to turn a company into a much more efficient and secure enterprise, and ultimately improve its bottom line. As the year gets underway, I wanted to share some recommendations on not only meeting these challenges but turning them into strengths. The following are a few suggestions on how to meet these challenges:

From: Digital Government Institute

August 28 – August 29, 2012

Office of Management and Budget (OMB), Department of Homeland Security (DHS) and National Institute of Standards and Technology (NIST) are placing increased emphasis on implementing an effective “information security continuous monitoring (ISCM) program” for all government and contractor run IT systems. This will be accomplished by DHS and OMB increasing the annual FISMA reporting requirements and NIST issuing NIST Special Publications (SP):

• Information Security Continuous Monitoring Guideline (SP 800-137) – Final
• Security-Focused Configuration Management Guideline (SP 800-128) – Final
• Update Risk Assessment Guideline (SP 800-30 Rev 1)

According to an article on Nextgov, the General Services Administration (GSA), which manages the FedRAMP federal cloud project, is

still figuring out how to compel real-time information sharing between private companies and agencies. With cloud computing, departments essentially outsource their IT to a commercial data center over which they have no control.

Nextgov also reports that GSA is moving ahead with FedRAMP certifications despite not having in place an essential component of cyber security for cloud computing — real time automated continuous monitoring (ISCM). Should GSA actually certify cloud vendors for federal IT business without their having all the necessary continuous monitoring requirements and procedures in place, security of the FedRAMP clouds could be compromised along with federal IT security and the national interest.

Editor’s Note:  The US CERT report, Insider Threat Security Reference Architecture (ITSRA) by Joji Montelibano and Andrew Moore is attached below.

From: Superconductor

Luther Martin

The folks at CERT recently released their Insider Threat Security Reference Architecture. Here’s how they describe what’s in this document:

From: Federal Computer Week

By Alan Joch

From the start, some CIOs have harbored nagging doubts about the effectiveness of the Federal Information Security Management Act. After all, does the rearview-mirror perspective on security that the now 10-year-old law requires really protect an agency from the latest security threats and future vulnerabilities?

The Office of Management and Budget and Homeland Security Department are tackling those concerns with calls for agencies to continuously monitor security-related information across the enterprise, including near-real-time oversight of hardware, software and services to uncover breaches as they’re unfolding.

The slide deck attached below was presented by Aplura at today’s Splunk>Live! DC event.

The recommendations in this document were compiled by Aplura’s staff over there more than 5-years of Splunk administration and professional services engagements. Many of these items come up time and time again during engagements and consideration of these items will result in a more successful implementation.

A successful implementation is one that is efficient, scalable, follows information security best-practice, and is, most importantly, useful. Although everything here is valuable, some of it does not apply for very small or specific implementations of Splunk. Largely, most of this applies to most environments we see.