NIST SP 800-137

From: GCN

By Matt Brown

The current IT landscape has been hit with an unprecedented number of cyberattacks, and the number is only growing.  In fact, the number of cyberincidents reported by federal agencies to the U.S. Computer Emergency Readiness Team has increased from 5,503 in fiscal year 2006 to 48,562 in fiscal year 2012, an increase of 782 percent.  Unfortunately, defensive cybermeasures alone are no longer enough to ensure networks remain secure.  Organizations must set up proactive, automated vulnerability and attack identification that enables personnel to take immediate action to defend against the current threat landscape.

From: FCW

By Mark  Rockwell

Continuous diagnostics and mitigation tools are becoming a regular feature of federal agencies’ thought processes as the cross-government cyberthreat mitigation effort evolves, according to officials in charge of implementing the programs.

Agencies seeking to catch cyberthreats in real time and increase situational awareness before problems cause damage are beginning to internalize the development of CDM capabilities, said Margie Graves, deputy CIO at the Department of Homeland Security, during a Feb. 20 panel discussion sponsored by the Association for Federal Information Resources Management.

Editor’s Note: To read about the Center for Regulatory Effectiveness’s work enhancing federal cyber security transparency, see the Internet Architecture Board’s (IAB) comments to NIST in the matter of the NIST Special Publication 800-90A (Recommendation for Random Number Generation Using Deterministic Random Bit Generators) review proceeding here and CRE’s comments on NIST Special Publication 800-137 Information Security Continuous Monitoring for Federal Information Systems and Organizations here.

From: GovInfoSecurity.com

Feedback Sought on Development Process

By Eric Chabrow

Because of concerns of possible National Security Agency meddling with its cryptographic standards, the National Institute of Standards and Technology has issued a draft report proposing revisions in how it develops cryptographic standards.

From: The Washington Post/The Federal Diary

By Joe Davidson

The outbreak of comity in the House Oversight and Government Reform Committee, often a sharply partisan place, means the government’s security-clearance process is in for significant changes.

Democrats and Republicans on the committee are united by an urgency to fix a system that was not able to stop Aaron Alexis’s September rampage. He was a defense contractor with a security clearance who attacked his Washington Navy Yard workplace, killing 12 before being shot to death by police.

From: GCN

By William Jackson

Agencies will have to up their cybersecurity games under a recent memo from the Office of Management and Budget that requires formal plans for Information Security Continuous Monitoring (ISCM) by Feb. 28.

OMB Memo M-14-03, Enhancing the Security of Federal Information and Information Systems, released in November, includes requirements to move to standardized technology and the use of automated feeds to a yet-to-be-developed dashboard for showing the status of government IT systems.

The focus on continuous monitoring — or continuous diagnostics and mitigation, or continuous measurement and management — is not new in government. But the latest guidelines introduce new elements, says Patrick Howard of Kratos Defense and Security Solutions.

From:  Help Net Security

Tripwire and the Government Technology Research Alliance (GTRA) announced the results of a U.S. government cybersecurity survey that evaluated the attitudes and responses of 111 security and compliance professionals from U.S. government agencies and contractors.

“Cybersecurity continues to be one of the top priorities of senior executives in the federal government,” said Ron Ross, fellow at National Institute of Standards and Technology (NIST). “Studies, such as this one, bring together important data points that help decision makers assess trends and take part in an ongoing dialog that will help us craft effective solutions to our difficult and challenging cybersecurity problems.”

From: CIOL

2014 Cyberthreat report finds 77 percent of IT professionals choose NAC for mobile security

News | CIOL Bureau

CAMPBELL, USA: The “2014 Cyberthreat Defence Report” found that respondents rated network access control (NAC) highest of all the security technologies in its potential to defend against today’s cyberthreats and that 77 percent of IT professionals are using or plan to use NAC for mobile security.

The survey also showed the compelling need for continuous monitoring and mitigation; more than 60 percent of participants had been breached in 2013, with a quarter of all participants citing a lack of employer investment in adequate defences as a factor.