Apr
28
From: Federal Times
***
Under the current policy, established 15 years ago, agencies are required to review security controls every three years. Modern best practices call for continuous monitoring of systems, using automation tools like those offered through the Continuous Diagnostics and Mitigation (CDM) program.
Without the update, “Circular A-130 remains an obstacle to the full adoption of this modern, automated approach to cybersecurity across government,” the senators wrote.
Apr
26
From: FedTech
***
“If you get too restrictive, shadow IT pops up,” Westervelt says. “That could be something as simple as an employee bringing in a cellphone and using it as a mobile hotspot to bypass the organization’s network, which could introduce a lot of different threats.”
Common tools for preventing and detecting insider threats include privileged account credentials, tamper-proof auditing programs and continuous monitoring tools that track employee behavior. Essentially, agencies must restrict access to sensitive data, track who accesses it, and pinpoint and investigate anomalous behavior.
Apr
25
Editor’s Note: For a case study of NASA’s leadership in continuous monitoring, see Federal Cybersecurity Best Practices: FISMA Continuous Monitoring.
From: FedScoop
By Jeremy Snow
NASA’s lack of a permanent security officer has hurt the agency’s ability to plan and improve its IT, according to an internal watchdog.
“Without a comprehensive information security program plan, we believe NASA will continue to struggle to identify the resources needed to implement requirements for its information security program, including the risk management framework and information security architecture,” Inspector General Paul Martin said in the report released last week.
Apr
22
From: InformationWeek/DarkReading
Despite the fact that databases still hold some of the most valuable data targeted by cyberthieves, the typical organization today lacks visibility into who is accessing their structured data stores and when.
According to a new survey out by Osterman Research of some 200 enterprises, most organizations still don’t assess database activity continuously and lack the capability to identify database breaches in a timely fashion. The study, commissioned by DB Networks, found the top three database security issues among enterprises were tracking compromised credentials; the potential for the organization to experience a major data breach; and the inability of the organization to identify data breaches until it was too late to mitigate damage.
Apr
21
Editor’s Note: Cross-posted from OIRA Watch.
In October 2012, the Chairman and Ranking Member of the House Intelligence Committee issued a joint statement warning American companies that were doing business with the large Chinese telecommunications companies Huawei and ZTE to “use another vendor.”
The bipartisan statement cited the Intelligence Committee’s Report that
“highlights the interconnectivity of U.S. critical infrastructure systems and warns of the heightened threat of cyber espionage and predatory disruption or destruction of U.S. networks if telecommunications networks are built by companies with known ties to the Chinese state, a country known to aggressively steal valuable trade secrets and other sensitive data from American companies.”
Apr
13
From: GCN
Cyberthreats are expanding and evolving at such a rate that many state and local governments are struggling to keep up. Rep. Will Hurd (R-Texas) would like to see the Department of Homeland Security do more to help.
***
Hurd, a computer science major and former CIA officer who now chairs the House Oversight and Government Reform Committee’s IT Subcommittee, introduced the State and Local Cyber Protection Act in 2015. That bill would require DHS’ National Cybersecurity and Communications Integration Center to help state and local agencies identify both system vulnerabilities and possible protections, provide technical assistance to deploy continuous diagnostic and mitigation services as well as offer training to their personnel.
Apr
11
From: Brattleboro Reformer
By Erin Mansfield
***
“CMS has not fully documented procedures that define its oversight responsibilities,” the study says. “Further, while CMS has set requirements for annual testing of a subset of security controls implemented within the state-based marketplaces, it does not require continuous monitoring or annual comprehensive testing.”
“Until CMS documents its oversight procedures and requires continuous monitoring of security controls, it does not have reasonable assurance that the states are promptly identifying and remediating weaknesses and therefore faces a higher risk that attackers could compromise the confidentiality, integrity, and availability of the data contained in state-based marketplaces,” the report said.
Apr
08
From: FCW
By Sean Lyngaas
***
In a letter to OMB Director Shaun Donovan, Carper expressed concern that “flaws in the federal acquisition process can limit the tools agency network defenders can obtain.”
Carper wants to know within a month how OMB is encouraging agencies to use several existing acquisition authorities and programs, including the crucial continuous diagnostics and mitigation initiative, a cybersecurity contract vehicle with a $6 billion ceiling.
Apr
06
From: Nextgov
***
The IG grades are based on reviews of agencies security processes, including continuous monitoring of cyberthreats, identity and access management, incident response and other areas.
***
Why did governmentwide scores lower? Because of new more stringent scoring requirements, which showed that while most agencies have continuous monitoring programs in place, they’re not very effective, according to the report.
Apr
05
From: SCAP Validation Team, NIST SCAP Validation Program
SCAP Community Members,
The SCAP 1.2 validation test suite version 1-2.1.0.0 is now available for download from SCAP Validation Program Publications and Resources page (http://scap.nist.gov/validation/resources.html). The direct URL is https://scap.nist.gov/validation/downloads/SCAP1.2ValidationTestContent_1-2.1.0.0.zip. This release candidate provides support for the NIST IR7511 revision 4 and includes the following major changes: