NIST SP 800-137

From: TechTarget

Expert Karen Scarfone examines important criteria for evaluating security information and event management (SIEM) products for use by an organization.

by Karen Scarfone

Security information and event management (SIEM) products and services collect, analyze and report on security log data from a large number of enterprise security controls, host operating systems, enterprise applications and other software used by an organization. Some SIEMs also have the ability to attempt to stop attacks in progress that they detect, potentially preventing compromises or limiting the damage that successful compromises could cause.

From: Coalfire

Recently, the FedRAMP Program Management Office (PMO) released new guidance to all Cloud Service Providers (CSP) regarding the actions FedRAMP will take when a CSP fails to maintain an adequate risk management program. The document, FedRAMP P-ATO Management and Revocation Guide (PDF), describes the escalation process and actions that FedRAMP will dictate when a CSP fails to adhere to the requirements of their Provisional Authority to Operate (P-ATO). Some key takeaways we wanted to highlight include:

• The FedRAMP PMO is improving the focus on risk in the areas of Operational Visibility, Significant Changes, and Incident Response.

From: GCN

By Joel Dolisy

***

It’s also a growing challenge. In a recent survey of 200 federal IT professionals conducted by SolarWinds and Market Connections, more than half of the respondents said they believed shadow IT will increase in the next two years – and that it will open their networks to potential threats.

***

Monitor networks and log files for unexpected ports and protocols. The IT pros who reported having little to no shadow IT in their organizations have mostly all implemented automated network monitoring tools that use a single-pane-of-glass view into their networks, systems, applications and security. Security information and event management software and monitoring tools can show system anomalies, track bandwidth usage, log files and look for patterns – all of which can indicate shadow IT and potential security issues.

From: GCN

By Paul McCloskey

Agencies are increasingly turning to predictive analytics to root out fraud, but those aren’t the only tools being used to spot and control anomalous behavior. New identity security tools are emerging to help enterprises that might be victimized in fraud schemes enabled by insiders or attackers using insider credentials. Those users have been at the center of several recent high-profile attacks. Their privileges were exploited as the result of sophisticated spear-phishing attacks, including the one on health insurer Anthem earlier this year in which 80 million records were stolen.

***

From: Intelligent Utility

By Matthew M. Blizard, Celia Y. David & Kenneth C. Lotterhos

***

The aftermath of the September 11, 2001 terrorist attacks has demonstrated rather painfully that security cannot be hardened or regulated to a point that eliminates all potential threats. To attempt a strategy solely on prevention would be prohibitively costly and is likely unsuccessful. Alternatively, implementing a containment regimen is far more manageable. Upon detection of potential cyber issues (through continuous penetration testing and forensic analysis), quickly isolating affected systems to limit damage and widespread or cascading impacts is paramount. Building in alternate system pathways and replicating or backing up essential information can harden a system against a crippling attack. Response plans must mitigate risk. This can be accomplished through active network monitoring (such as the Cybersecurity Risk Information Sharing Program being pursued by the DOE and volunteering Bulk Power System entities), forensics, and the adoption of operating procedures and information sharing that are leading to future self-healing systems.

From: Lexology

Christian F. Henel, Gunjan R. Talati, Lawrence M. Prosen and Thomas F. Zych | Thompson Hine LLP

***

Once final, the guidance, “Improving Cybersecurity Protections in Federal Acquisitions,” will likely provide requirements in the following five areas, each of which impacts how contractors develop and maintain their information security systems:

***

Information security continuous monitoring (ISCM). The guidance encourages agencies to develop ISCM as a way of maintaining ongoing awareness of federal contractors’ information security capabilities. The guidance does not specify a particular technology or program to achieve ISCM. To the extent agencies do not implement ISCM, they must require that contractors meet or exceed security monitoring requirements set forth in OMB Memorandum M-14-03.

From: The National Law Review

Article By Susan B. Cassidy, Alejandro L. Sarria | Covington & Burling LLP

On August 11, 2015, the Office of Management and Budget (OMB) issued a draft guidance memorandum intended to improve cybersecurity protections in federal acquisitions. Specifically, the proposed memorandum provides direction to federal agencies on “implementing strengthened cybersecurity protections in Federal acquisitions for products or services that generate, collect, maintain, disseminate, store, or provides access to Controlled Unclassified Information (CUI) on behalf of the Federal government.” CUI is defined in a recently issued proposed FAR rule as “information that laws, regulations, or Government-wide policies require to have safeguarding or dissemination controls, excluding classified information.”

From: GCN | Pulse

Lockheed Martin, the defense contracting giant, has been accredited as a Commercial Service Provider under the Department of Homeland Security’s Enhanced Cybersecurity Services.

ECS is a voluntary information sharing program intended to help U.S.-based public and private organizations with network improvements and other protections that defend against unauthorized access, exploitation or data exfiltration.  DHS works with cybersecurity organizations from across the federal government to gain access to a broad range of sensitive and classified cyber threat information.  It then shares cyber threat indicators developed through ECS with qualified Commercial Service Providers so they can better protect their customers.

From: Technically Speaking

Caron Beesley

***

2. The Expansion of Continuous Monitoring

Another positive action that OPM has taken is to work with the Department of Homeland Security (DHS) to implement the Continuous Diagnostics and Mitigation program (CDM) by March 2016 on both its own systems and, where possible, those of contractors.

Information security training organization SANS claims that many of the basic security practices that weren’t implemented at OPM, including patching vulnerabilities, restricting privileged user accounts, checking logs for attack indicators, and so on, should have been routine procedures that CDM would have detected and mitigated. “The DHS Continuing Diagnostics and Mitigation program was funded back in 2012 to address almost all of these issues but has largely disappeared into the government procurement Bermuda triangle. “

From: Hacking the Universe

By Omar Fink

NIST (National Institute of Standards and Technology) has announced a new Special Publications (SP) series of documents called SP-1800, intended to augment the SP-800 series.

SPECIAL PUBLICATIONS – [nist.gov]

SP 1800, NIST Cybersecurity Practice Guides (2015-present):
A new subseries created to complement the SP 800s; targets specific cybersecurity challenges in the public and private sectors; practical, user-friendly guides to facilitate adoption of standards-based approaches to cybersecurity;

The first draft document in the 1800 series has been released for comment:

Securing Electronic Health Records on Mobile Devices – [nist.gov]