NIST SP 800-137

From: Karen Scarphone

NIST invites comments on two draft publications on SCAP. The first is Special Publication (SP) 800-126 Revision 3, The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.3. The second is SP 800-126A, SCAP 1.3 Component Specification Version Updates: An Annex to NIST Special Publication 800-126 Revision 3.

SP 800-126 Revision 3 and SP 800-126A collectively define the proposed technical specification for SCAP version 1.3, which is based on enhancements and clarifications to the SCAP 1.2 specification. SP 800-126A is a new publication that allows SCAP 1.3 to take advantage of selected minor version updates of SCAP component specifications, as well as designated Open Vulnerability and Assessment Language (OVAL) platform schema versions.

From: FederalNewsRadio.com | 1500 AM

By Jason Miller

The Homeland Security Department and the General Services Administration put two more key pieces in place under the Continuous Diagnostics and Mitigation (CDM) program.

GSA, acting as the procurement arm of the CDM program, awarded the continuous monitoring-as-a-service contract — also known as task order 2F — to ManTech. Under this sixth part of task order two, GSA and DHS are asking ManTech to provide services to at least 44 small-and-micro agencies, ranging from the Consumer Product Safety Commission to the Federal Trade Commission to the Postal Regulatory Commission.

Via: Sci/Tech Nation

***

Cybersecurity

***

I have issued an aggressive timetable for improving federal civilian cybersecurity, principally through two DHS programs:

The first is called EINSTEIN. EINSTEIN 1 and 2 have the ability to detect and monitor cybersecurity threats attempting to access our federal systems, and these protections are now in place across nearly all federal civilian departments and agencies.

From: Low-Cards.com

Written By John H. Oldshue

Federal government IT professionals may be overconfident in their insider threat detection abilities, according to a recent study by Tripwire.

***

“Authorization creep is something many organizations fail to address,” said Travis Smith, senior security research engineer for Tripwire. “As employees change roles or are promoted, their roles and responsibilities change; as does their access to confidential information. Protecting confidential information is more than reviewing access denied attempts; employees may be abusing authorized access as well. Following these recommended controls and continuous monitoring over critical and/or confidential information is vital to reduce the likelihood or impact of insider threat.”

From: FedRAMP

Cloud Service Providers (CSPS)

Question:

What is the main objective of “Continuous Monitoring”?

Answer:

Automation is the main objective of “Continuous Monitoring.” The Plan of Actions and Milestones (POA&Ms) submitted each month must accurately report the security posture of the system for that particular month. Security posture is an ongoing assessment. Most large CSPs include  enough automation in their environments that the POA&M becomes an output of that automation. Automation is required to a greater extent in NIST 800-53 Revision 4 and will continue to be a stricter requirement in the next version of NIST 800-53 controls.

From: Firemon

A TOP-DOWN, ALL-ENCOMPASSING VIEW INTO ACCESS AND DEFENSE

Federal agencies face difficult cyber security challenges, storing large amounts of confidential data, protecting critical infrastructures and being assailed by sophisticated threats from a broad range of adversaries. Government practitioners must also meet strict compliance requirements, including FISMA, DIACAP, STIGs, PPSM, CCRI, NERC-CIP, PCI DSS, HIPAA, etc.