NIST News 
Top News
- IRS to pay $70M in bonuses, Grassley says
- Senators push Tangherlini for assurances GSA is improving
- As VA works to eliminate one backlog, one more might emerge
- BRAC-like commission proposed to hunt down government cost savings
- Sequestration claims another conference: DHS's GFirst cyber event
- Postal Service closing Capitol Hill post offices in 'symbolic' move
- Senators seek cost cuts for F-35 fighter jet
- Fed pens new furlough song
- Web guru Dorris brings new life to government websites
- EPA CIO Jackson returning to private sector
- Navy strikes enterprise licensing deal with Oracle
- Contractors with security clearances lack path to report problems
- NSA leak case gives vendors reason to reevaluate personnel
- 8 contract executives guilty of 8(a) contracting fraud
- Whistleblower suit leads to $12M false claims settlement by SAIC
- USPS reaches energy reduction goal ahead of schedule
Advice about continuous network monitoring from MOC
This week, the show features two speakers from the Management of Change conference, which took place in Philadelphia earlier this year.
Encore Presentation
Cybersecurity awareness gets a NICE start
Cybersecurity training is expanding beyond agencies and into high schools, libraries and other workplaces. It's called the National Initiative for Cybersecurity Education. We learn more about it from NIST's Dr. Ernest McDuffie.
Cybersecurity gets nice NICE baby!
Also in the cybersecurity headlines: Navy CIO Carey moving to Fleet Cyber Command, Study Reveals DHS Does Not Dominate the Homeland Security Market
Fed invents most accurate clock in the world
If you are a sticker for time then your in luck.
Feds lead Smart Grid development effort
The Senate is now considering a bill, approved last week by the House, designed to help the nation's electrical grid evolve into an enhanced Smart Grid which would help protect itself from cyber-attacks. In addition, however, the Smart Grid is also expected to help the nation do a better job of managing our electrical resources. A group of federal employees recently talked about their role in developing the Smart Grid.
Sammies Tracker: Quantum cryptography gets real
Quantum cryptography was first demonstrated in the laboratory in the 1980s and had largely been viewed as an experimental field due to a variety of practical difficulties. NIST's Joshua Bienfang made the dream come true.
NIST offers Continuous Monitoring FAQ
Rent-a-botnet attack for $9 an hour, Macs under attack by spyware
CIO Council report on cloud sets future vision
The document highlights work being done by NIST, standards working group and budget guidance to agencies. NIST to come out with several special publications to help agencies implement cloud computing. The CIO Council also includes use cases on 30 different cloud implementations.
FISMA's facelift focuses on four areas, for now
DHS is leading the effort to rework cybersecurity metrics around patch, configuration, vulnerability and inventory management. Justice plans to host an industry day in June to tell vendors how cyberscope works. NIST will issue new cyber publications and GSA plans on new RFP for situational awareness and incident response tools.
NIST to coordinate interagency cyber effort
Computer breaches starting to level off, GISLA awards open for nominations
Rockefeller stumps for cybersecurity
The Senate is now considering one of several cybersecurity bills now making their way through the U.S. Congress. The principal co-author of one bill spoke to a software industry group holding a cybersecurity forum at the Newseum yesterday.
NIST restructuring bill passes committee
Major malware campaign abuses unfixed PDF flaw
Federal Information Security - The Shift to a Risk Management Framework
The National Institute of Standards and Technology's (NIST) recent release of Special Publication 800-37, Revision 1 Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach is an important change in the direction of how federal agencies achieve information security and manage information system-related security risks. It shifts the focus away from a point in time Certification and Accreditation (C&A) approach to compliance towards continually assessing risk and security authorization. As a result, the federal information security community is sending a message to the broader federal community and creating an important discussion: the cyber threat is real and must be addressed in the context of its potential impact on an organization. Cyber security is not as simple as a "check the box" requirement. The paradigm shift away from point in time security and towards obtaining situational awareness of the organization's risk posture must be as pervasive in the federal government as the cyber threats are against us.
Regarding the impact on agency security procedures, the publication is clear on the focus of its new framework, stating:
-
The revised process emphasizes: (i) building information security capabilities into federal information systems through the application of state-of-the-practice management, operational, and technical security controls; (ii) maintaining awareness of the security state of information systems on an ongoing basis through enhanced monitoring processes; and (iii) providing essential information to senior leaders to facilitate decisions regarding the acceptance of risk to organizational operations and assets, individuals, other organizations, and the Nation arising from the operation and use of information systems.
This new Risk Management Framework builds much needed flexibility into the overall federal information security lifecycle to address the increasing nature and scope of threats in real-time, providing a number of key advantages that include:
- Continually evaluating the organization's risk posture and maintaining situational awareness of its cyber security posture
- Understanding the state and maturity of an agency's cyber security program
- Evaluating cyber security programs at key vulnerability points: people, processes, and technology
- Maintaining a focus on the security program lifecycle
- Addressing the key functions (governance, risk, management, compliance, operations) of a security program
Perhaps most importantly, agency security programs will be better positioned to evolve and mature - an absolute necessity for staying ahead of the growing and dynamic threat to our Nation's cyber security.
Cyber Security - Five Key Challenges
In addressing the importance of cyber security as a government priority in testimony before a Senate Homeland Security and Governmental Affairs subcommittee last fall, Vivek Kundra, the Federal Chief Information Officer, said:
"Our Nation's security and economic prosperity depend on the stability and integrity of our Federal communications and information infrastructure."
Federal News Radio has reportedthat the federal government will spend $8.3 billion on computer security this year - marking a 60% increase in four years. As Federal information security decision-makers allocate dollars and resources to protect our infrastructure, it is important to prioritize the key challenges they face. These include:
- 1. Increased use of mobile devices.Mobile devices are becoming smaller and faster every day. Agencies face even more challenges as mobile applications have now become widely used and they are even looking to build their own mobile applications to increase their productivity in the field.
- 2. Continued movement of data into the cloud. Cloud computing has become a pervasive buzzword but in the end, risk stems from a matter of oversight and control. Agencies must rely on strong governance and compliance oversight of their service providers since they do not own or control the systems where their data resides.
- 3. Changing regulatory environment. NIST has undergone sweeping changes across their Special Publications by introducing a new Risk Management Framework and introducing new nomenclature such as "Security Authorization." OMB continues to press their performance metrics as a part of the FISMA reporting process and could see some changes in the next 9 months.
- 4. Application security. Attackers have now moved their focus from the network and infrastructure level to the application layer. We're seeing more attacks proliferated through applications such as Adobe and web browsers but some high profile data breaches stemmed from custom web applications through SQL injection attacks.
- 5. Developing/maturing offensive capabilities. "Understanding the offensive to build the defensive" has become the mantra for today's cyber security efforts. The ability to understand the mindset of an attacker and their methods becomes critical in building defenses that focus on these attack vectors.
Reigning in the changes can pose a difficult problem for several agencies but it ultimately comes down to understanding the threats to your particular agency and narrowing your defenses on those areas. Focus and prioritization become key in the constant battle.
Agency cybersecurity reporting to get makeover
OMB has launched new tool to automate FISMA reporting. This data will help populate a new cybersecurity dashboard, federal CIO Vivek Kundra says. OMB also wants to collect more specific data around how much and where agencies are spending money on IT security.
NIST helps small business at big dataloss risks
NIST has published a guide to help small businesses and organizations understand how to provide basic security for their information, systems and networks.
CIO Council taskforce to change security metrics
New group is developing performance measures that are based on outcomes. OMB has set a November deadline for a draft of the metrics that will be reviewed by government and industry. DHS says the governmentwide focus to improve cybersecurity is on standards, metrics and authentication.
SAMMIES nominee making incalculable contributions to understanding
NIST releases final cybersecurity recommendations
Many fundamentals are reiterated, while new threats are also identified.
