FISMA News

From: NextGov

The Homeland Security Department and consulting firm Mitre Corp. on Monday unveiled a system for rating the protection of software products to help agencies, contractors and consumers ensure they are buying safe technology, in the same way the Energy Star labeling program helps guarantee eco-friendly purchases, DHS officials said.

The scoring reflects the degree to which software offerings defend against the most common programming flaws — which are widespread in agency systems as noted by a recent audit of Internal Revenue Service databases. Last week, the Treasury Department inspector general released a report that found software housing taxpayer information is not always protected against attacks.

From: Bloomberg

The U.S. Department of Homeland Security ran a test this year to see how hard it was for hackers to corrupt workers and gain access to computer systems. Not very, it turned out.

Staff secretly dropped computer discs and USB thumb drives in the parking lots of government buildings and private contractors. Of those who picked them up, 60 percent plugged the devices into office computers, curious to see what they contained. If the drive or CD case had an official logo, 90 percent were installed.

From: Federal Register

SUMMARY: The Information Security and Privacy Advisory Board (ISPAB)
will meet Wednesday, July 13, 2011, from 8 a.m. until 5 p.m., Thursday,
July 14, 2011, from 8 a.m. until 5 p.m., and Friday, July 15, 2011 from
8 a.m.. until 12:30 p.m. All sessions will be open to the public.

DATES: The meeting will be held on Wednesday, July 13, 2011, from 8
a.m. until 5 p.m., Thursday, July 14, 2011, from 8 a.m. until 5 p.m.,
and Friday, July 15, 2011 from 8 a.m. until 12:30 p.m.

The U.S. Senate became the latest victim in a string of hacks into government and high-profile groups like the IMF and Lockheed Martin. Here’s what security experts say the Feds must do better.

By J. Nicholas Hoover,  InformationWeek

LulzSec breached and released internal data from a U.S. Senate Web server Monday in the latest in a series of well-publicized attacks on high-profile government and government-related targets over the past several months that has also seen the compromise of the International Monetary Fund, Lockheed Martin, the Oak Ridge National Laboratory, the Group of 20, FBI partner InfraGard, Gmail accounts of government officials, and RSA’s SecurID authentication, which is used heavily in government.

From: ComputerWeekly.com

How can businesses measure the effectiveness of their IT security teams to ensure they are getting value?

Make sure security information is available at the right level, writes Vladimir Jirasek, director of communications, CSA UK & Ireland and project lead CAMM.

The question of measuring the value of security in an organisation has not been fully answered since the creation of information security discipline. And this fact is, in my opinion, one of the reasons security teams find it difficult to convince business to invest in security, except perhaps immediately after an incident.

Editor’s Note: A link to the complete document may be found here.

From: FederalNewsRadio.com

The Homeland Security Department has issued new cyber security guidance for agencies. It is designed to help them comply with reporting requirements under the Federal Information Security Management Act, or FISMA. The 11-page document adds metrics on continuous monitoring to the list of security items to be reported. It also asks for inventories of network equipment, security methods in place, and what kind of training system operators are receiving. The new document was first reported by the SANS Institute, a security training group. SANS says the new guidance will result in rapid risk reduction.

From: InfoSecurity.com

RSA hackers might have been behind the recent information security incident at defense contractor Lockheed Martin, according to security experts.

Lockheed Martin said on May 27 that it detected a “significant and tenacious attack on its information systems network.” The firm stressed that “our systems remain secure; no customer, program or employee personal data has been compromised.” It added that “appropriate” US federal agencies had been notified of the incident.

Lockheed Martin and other defense firms use RSA SecureID tokens to enable employees to gain access to corporate networks from outside the office.