Proof-of-concept BIOS malware & Draft NIST SP 800-147B, BIOS Protection Guidelines for Servers

Editor’s Note:  NIST’s Draft Special Publication 800-147B “BIOS Protection Guidelines for Servers” is attached here.  Comments are due September 14, 2012 and should be sent to:  Below is a story that illustrates why BIOS protection is needed.

From: FierceCIO

Proof-of-concept BIOS malware can hide in PCI firmware

By Paul Mah

Hardware on the motherboard, including the BIOS and PCI firmware of devices such as network cards or CD-ROMs, can be infected by malware. This was demonstrated by security researcher Jonathan Brossard at both the Black Hat security and Defcon hacking conferences last week.

Debunking the 5 myths of Big Data

From: Washington Technology

By Chris Smith

As the new era of Big Data steams ahead, federal agencies have to quickly come to terms with how to access, prioritize, manage, analyze, store and exchange the crush of data coming their way.

It is straining their ability to handle the tremendous volume. Structured, unstructured and semi-structured data are in documents, websites, social networks, mobile channels and relational databases.

GAO: Privacy — Federal Law Should Be Updated to Address Changing Technology Landscape

Editor’s Note:  The Testimony before the Subcommittee on Oversight of Government Management, the Federal Workforce, and the District of Columbia by Gregory C. Wilshusen, GAO’s Director for Information Security Issues, is attached here.

GAO found:

Technological developments since the Privacy Act became law in 1974 have changed the way information is organized and shared among organizations and individuals. Such advances have rendered some of the provisions of the Privacy Act and the E-Government Act of 2002 inadequate to fully protect all personally identifiable information collected, used, and maintained by the federal government. For example, GAO has reported on challenges in protecting the privacy of personal information relative to agencies’ use of Web 2.0 and data-mining technologies.

FCC Initiates Notice of Inquiry on Mid-Atlantic Emergency Communications Resiliency and Reliability

Editor’s Note:  For background informaiton on this issue, see FISMA Focus here.

Tomorrow’s Federal Register will contain a notice from the Federal Communications Commission announcing an investigation into the storm-related disruption of emergency communications in the Mid-Atlantic.  The FCC notice is attached here.

From: FCC

Medical Cybersecurity – Fertile Ground for Activists


Increasing attention is being given to various facets of healthcare-related cybersecurity by industry, the public, and regulators. From preventing malicious interference with medical devices to securing the appropriate privacy and integrity of patient records, the health care industry and other vested interests need to be closely involved in cybersecurity matters. And when industry and federal regulators are involved, NGO watchdogs are also involved.