A Look at Issues Facing Federal IT Workers

From: NextGov

By Brittany Ballenstedt

There has been much evidence in recent months that agencies are making progress in implementing the requirements of the 2010 Telework Enhancement Act. But some significant gaps still exist in ensuring secure remote access for federal workers, according to a new report.

In its annual report to Congress on the implementation of the Federal Information Security Management Act, the Office of Management and Budget noted that some agencies are moving toward two-factor authentication for remote access, versus previous methods that required only a user ID and password.

“Strengthening Security Management through CyberStat Model”

OMB’s FY 2011 Report to Congress on FISMA implementation discusses plans for the CyberStat review process which uses data from the CyberScope reports.

DHS will continue work with agencies to identify and correct weaknesses in their cybersecurity programs. The reviews provide the opportunity for Agencies to identify the cybersecurity capability areas where they may be facing implementation maturity roadblocks, (e.g. technology, organizational culture, internal process, or human capital/financial resource challenges). In addition, CyberStat Reviews highlight areas where Agencies are meeting and exceeding required standards. 
The report also noted that:     

NATO Rapid Reaction Team to fight cyber attack

From: North Atlantic Treaty Organization

Cyber warfare is war without any noise, tanks or aircraft. Currently, it is a profitable, relatively risk-free and anonymous crime. It is often difficult to identify the origin or perpetrators of the attack – and this is the main problem. In order to be more effective, all the parties involved must work together: NATO, the private sector, international organizations, academia. By the end of 2012, a rapid reaction team (RRT) capability of NATO cyber defence experts will be operational.

The technical centre of the NATO Computer Incident Response Capability (NCIRC) is the nerve centre of the Alliance’s fight against cyber crime.

DOE proposes cybersecurity risk management process for electric energy industry

From: FierceGovernmentIT

A proposed Energy Department cybersecurity risk management process guideline for the U.S. electric energy industry draws heavily from existing guidance published by the National Institute of Standards and Technology.

In a March 7 Federal Register notice, DOE solicits feedback on the draft process  guideline (.pdf), which freely acknowledges that it is based on NIST Special Publication 800-39. The NIST publication is the foundation for Federal Information Security Management Act implementation; however, neither document specifies a set of security controls.

Rather, both documents describe a method organizations are supposed to use when framing, assessing, responding to and monitoring cyber risk.

Is There a Market Failure In Cybersecurity?

From: Mercatus Center/George Mason University

Eli Dourado [1], Jerry Brito [2]

With more than a dozen related bills in Congress, cybersecurity has become a pressing policy topic. Several of these bills would give federal regulators the power to mandate how private sector networks are secured. But do private networks really need to be told how to protect themselves? If there’s no market failure for the government to correct, then shouldn’t private networks be left to secure themselves? Having direct knowledge of their systems, they are surely better equipped than outsiders—and should have the greatest incentives—to do so. In this short briefing paper, we explain what a mar- ket failure is and how the concept applies to cybersecurity.