FISMA News

From: Fierce Government IT

A controversial Internet security bill proposed in 2010 by Sen. Joe Lieberman (I-Conn.) could yet become law in the current session of Congress, said Jeff Greene, counsel on the majority staff of the Senate Homeland Security and Governmental Affairs Committee.

The bill, S.3480, “Protecting Cyberspace as a National Asset Act of 2010″ is garnering early bipartisan support in the new Congress, Greene said during a Jan. 19 ACT-IAC meeting in Falls Church, Va.

“FISMA hasn’t necessarily worked out as well as we had hoped,” said Greene. “Current structures are disorganized, they’re decentralized, they’re inefficient and generally speaking, they’re fairly weak.”

From: Fierce Government IT

A big part of the problem is the use of the word “ensure.” FISMA uses the word “ensure” instead of the word “enforce” in the context that the chief information officer shall “ensure compliance” with FISMA. That simple word choice guarantees that the CIO, and the subordinate “senior agency information security officer,” have no authority. If you don’t believe me, a memorandum I requested from the general counsel of the Department of Veterans Affairs when I served as the chief information security officer said exactly that. On April 7, 2004, the counsel wrote an opinion stating that the word “ensure” instead of the word “enforce” guaranteed the CIO and CISO no authority to enforce policies or hold people accountable for violating policies.

From E-Gov Monitor

Federal agencies have been provided with a detailed map of how they should conduct the security review of classified information.  The initial order to asses handling of classified information was issued by the OMB in the President’s office in November last year following the Wikileaks revelations.

Now, that order has been followed up with more than 100 questions that agencies need to address including the decision making process that determines who gets access to classified material in automated systems. The questionnaire also asks if agencies have adequate measures against “insider threat”.  

For Immediate Release: January 5, 2011
Contact: Evelyn Brown
301-975-5661

As the day draws nearer for the world to run out of the unique addresses that allow us to use the Internet—now predicted to happen by the end of 2012—researchers at the National Institute of Standards and Technology (NIST) have issued a guide for managers, network engineers, transition teams and others to help them deploy the next generation Internet Protocol (IPv6) securely.

Guidelines for the Secure Deployment of IPv6 (NIST Special Publication 800-119), describes the features of IPv6 and the possible related security impacts, provides a comprehensive survey of mechanisms to deploy IPv6 and suggests a deployment strategy for a secure IPv6 environment.