Will FISMA Standards Be Extended to the Private Sector to Avoid A Financial Cyber Attack?

Are We Ready for a Financial Cyber Attack?

Source: Wall Street Journal

An assault on Estonia in 2007 disrupted banking and other services for over a week.


Last week, the European Union revealed that its headquarters had come under a major cyber attack, likely state-sponsored, on the eve of the EU summit. Earlier this month, the French announced that they had been hit with a cyber assault at the end of 2010, probably launched by Chinese hackers, aimed at pilfering sensitive G-20 documents from finance ministry computers in Paris. Last fall, the Nasdaq suffered what looks like an organized-crime attack on a service it provides to corporate executives for exchanging confidential files.

FedRAMP: Critical to Cost-Effective Cloud Computing CyberSecurity

In September 2009, the Obama Administration announced the Federal Cloud Computing Initiative.  As the government’s CIO explained, cloud computing “has the potential to greatly reduce waste, increase data center efficiency and utilization rates, and lower operating costs.”  The Federal Risk and Authorization Management Program (FedRAMP) addresses the key elements of a cloud computing framework for federal agencies.

Federal use of “shared pool of configurable computing resources” does, however, present special cybersecurity challenges – particularly with regard to continuous monitoring.

NASA IG Warns of “Catastrophic Adverse Effect” — Calls for Continuous Monitoring

An Audit Report by NASA’s Office of Inspector General found that “six computer servers associated with IT assets that control spacecraft and contain critical data had vulnerabilities that would allow a remote attacker to take control of or render them unavailable. Moreover, once inside the Agency-wide mission network, the attacker could use the compromised computers to exploit other weaknesses we identified, a situation that could severely degrade or cripple NASA’s operations.”

The IG report warned that “the Agency is vulnerable to computer incidents that could have a severe to catastrophic adverse effect on Agency assets, operations, or personnel.”

NIST’s “Capstone” FISMA Publication Provides Superb Understanding of Risk Monitoring

NIST’s Special Publication 800-39, Managing Information Security Risk: Organization, Mission, and Information System View was described by the agency as “the capstone publication” of the Joint Task Force, “a federal cyber security partnership made up of the Department of Defense, the Intelligence Community and NIST.”

Of particular note, SP 800-39 introduced the

three-tiered risk management approach that recommends federal agencies focus, initially, on establishing an enterprise-wide risk management strategy as part of a mature governance structure involving senior leaders/executives and a robust risk executive (function). The risk management strategy addresses some of the fundamental issues that organizations face in how information security risk is assessed, responded to, and monitored over time in the context of critical missions and business functions.

GAO Testimony Highlights Need to Improve Feder CyberDefense Capacity, Protect Critical Infrastructure

 In testimony before the House Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies, GAO emphasized the need to improve the nation’s capacity to protect against cyber threats.  Of particular note, GAO emphasized the need for federal-private sector cooperation in securing critical infrastructure.

As GAO explained,

We recommended that the national Cybersecurity Coordinator and DHS work with their federal and private sector partners to enhance information-sharing efforts, including leveraging a central focal point for sharing information among the private sector, civilian government, law enforcement, the military, and the intelligence community.

GAO’s complete testimony is attached below.