NIST SP 800-137

From: FCW

What: A National Institute of Standards and Technology “sources sought” notice seeks information on vendors that can help the agency test a proven risk-scoring methodology that would lead to a long-term, real-time continuous monitoring program.

Why: NIST is looking for a plan, software and technical services for a year-long pilot for five categories of users at the agency: authorizing officials, information system owners, information system security officers, operating unit security officers and security control assessors.

Read Complete Article

From: Defense Systems

By Chris  LaPoint

With its ongoing effort toward a Joint Information Environment, the Defense Department is experiencing something that’s extremely familiar to the enterprise world: a merger. The ambitious effort to consolidate communications, services, computing and enterprise services into a single platform is very similar to businesses coming together and integrating disparate divisions into a cohesive whole. Unlike a business merger, however, JIE will have a major impact on the way the DOD IT is run, ultimately providing better flow of and access to information that can be leveraged throughout all aspects of the department.

From: FedTech

Agencies are implementing new security standards that focus on continuous monitoring and accountability.

by Leon Erlanger

Federal information security managers are in the early stages of updating their computer systems to conform to the Federal Information Systems Modernization Act, which President Obama signed into law in December.

The new law updates cybersecurity accountability, reporting requirements and overall security strategies. At its core, it was written to help agencies better share information as well as provide greater insight into the security threats the government and the nation’s critical infrastructure now face.

Read Complete Article

From: National Defense

By Allyson Versprille

DHS is allocating $6 billion in funding for the initiative, which will provide enhanced cyber security to civilian federal agencies. In August 2013, DHS chose the 17 companies that can compete for the pot of money.

***

Read Complete Article

From: FierceHomelandSecurity

By Dibya Sarkar

Two major cyber programs – Continuous Diagnostics and Mitigation and Einstein – being developed and deployed across the federal government should improve network defenses in the next couple of years, according to two Homeland Security Department officials testifying April 15 on Capitol Hill.

But there are some legal hang-ups that need to be resolved so federal departments and agencies can participate in Einstein, Andy Ozment, who is assistant secretary within DHS’s National Protection and Programs Directorate, told lawmakers during a Senate Appropriations subcommittee hearing on homeland security.

Read Complete Article

From: TechTarget

by: Michael Heller

In its 2015 Data Breach Investigations Report, Verizon debuts data breach cost estimates based on newly available data, and also advocates for better threat intelligence sharing among different industries facing common threats.

Enterprises have long struggled to accurately estimate the cost of a data breach because of the many variables involved, but in its new Data Breach Investigations Report (DBIR), Verizon is confident enough in its newly gathered data to offer predicted data breach cost ranges for the first time.

***

From: InformationWeek/DarkReading

Ericka Chickowski

SANS report shows gaps in insider detection and response.

Enterprises today are still on their heels when it comes to preparing for insider attacks. A recent survey conducted by SANS Institute on behalf of SpectorSoft shows that while organizations are gaining awareness of the risks, they still lack visibility and response planning into threats coming from the inside.

***

SANS reports that the primary focus on insiders has been on detection rather than prevention. The survey showed that the most leaned-on tool for detection is an internal audit, followed by network monitoring, centralized log management and SIEM tools. However, in spite of these tools, only about 10 percent of organizations said they could detect an insider attack within an hour.

From: ComputerWeekly.com

Warwick Ashford

Most organisations are not following incident response best practices and are not well prepared to face advanced cyber threats, a study has revealed.

The study by RSA, the security division of EMC, compared the results of a breach readiness survey in 30 countries with a benchmark survey of the security leaders of global 1,000 companies which are members of the Security for Business Innovation Council (SBIC).

***

The report said most organisations recognise that basic log collection through security information and event management (Siem) systems only provides partial visibility into their environment.

From: GCN

By Kirk Norsworthy

Wearables are poised to seriously affect our day-to-day lives. In fact, reports indicate Apple intends to manufacture more than five million Apple Watches in its first run. Consumers generally set trends while businesses and government agencies follow on adoption, but the success of the Apple Watch and other wearables will affect how quickly these devices infiltrate agencies. Though we may be years away from significant adoption, it’s important for government agencies to begin incorporating wearables into their security planning now.

***

From: EMC2

Posted by chrishoo in RSA Archer GRC

Gartner just released their IT Risk Management Magic Quadrant results. RSA is at the front, as usual, but when I saw the results I was immediately struck by a question: How closely do Gartner’s and the federal community’s visions of IT Risk Management align? There has been discussion around redefining these categories and some have been broken out into new MQs. So, for my federal security professional colleagues, I just wanted to run through Gartner’s definition of ITRM and compare them to current federal thinking and initiatives.