NIST SP 800-137

From: beta news

By Ilia Kolocheno

***

Penetration testing is the ultimate way to test web security

No, because penetration testing is not scalable and cannot be used in a 24/7 continuous mode. Even if you can afford monthly penetration testing, nobody can guarantee that within the 30-day period no zero-days will go public, or your web developers will not make a dangerous error in the code.

Penetration testing can perfectly complement your continuous monitoring, but it can never replace it. This is why MIT folks say that the future belongs to hybrid systems that combine 24/7 continuous monitoring leveraging machine-learning, but supervised and managed by humans.

From: FCW

By Mark Rockwell

It is official: The government requires minimum cybersecurity standards for contractors that store sensitive information in their IT systems.

***

“Systems that contain classified information, or CUI such as personally identifiable information, require more than the basic level of protection,” a May 16 Federal Register notice states. The regulation was issued by the Defense Department, the General Services Administration and NASA.

Read Complete Article

From: FederalNewsRadio.com 1500 AM

By Jason Miller | @jmillerWFED

It’s been 11 months since federal employees and contractors first learned about the massive data breach impacting the Office of Personnel Management. Since then the federal community has seen a 30-day cyber sprint, which turned into a long term Cybersecurity National Action Plan. And now, the Obama administration is attacking the government’s cybersecurity problem by modernizing legacy systems that put agencies at more risk and cost more to maintain.

From: FierceGovernmentIT

By Eli Richman

The Department of Homeland Security is closing in on contract awards for the second phase of its Continuous Diagnostics and Mitigation system. Since the department launched Phase 2 last year, it has so far issued a request for quotation and taken submissions, so contractors are expecting award announcements any day.

The Continuous Diagnostics and Mitigation program, or CDM, is an approach started by DHS to increase agencies’ network security through commercial off-the-shelf tools.

Read Complete Article

From: CSO

Enterprise IT professionals who use these leading security information and event management (SIEM) products identify the most valuable features and the areas needing improvement.

IT and security managers in the IT Central Station online community say that the most important characteristics of security information and event management (SIEM) products is the ability to combine information from several sources and the ability to do intelligent queries on that information.

Four of the top SIEM solutions are Splunk, HPE ArcSight, LogRhythm, and IBM Security QRadar SIEM, according to online reviews by enterprise users in the IT Central Station community.

From: Security Intelligence

BY CARL C. MANION

Suppose you’ve recently bought a piece of land and you’re interested in building a house on it. Whether you are acting as architect, general contractor, project supervisor or all of the above, the first step would be getting your hands on a set of blueprints. Blueprints provide you with detailed guidance for planning your efforts, staying on schedule, saving time and resources and successfully finishing your home.

From: U.S. Senate Homeland Security & Governmental Affairs

In Light of Recent FISMA Report, Lawmakers Urge Agency to Complete Critical Cybersecurity Revisions

WASHINGTON – U.S. Senators Tom Carper (D-Del.) and Ron Johnson (R-Wis.), Ranking Member and Chairman of the Senate Homeland Security and Governmental Affairs Committee, sent a letter to Shaun Donovan, Director of the Office of Management and Budget (OMB), requesting an update on efforts to complete and issue revisions to Circular A-130, which establishes OMB’s official policy and guidance on information technology management and cybersecurity for federal agencies.