NIST SP 800-137

From: MeriTalk

The Department of Homeland Security’s (DHS) Continuous Diagnostics and Mitigation (CDM) program office is preparing to work with five Federal government agencies on data protection management efforts, CDM Program Manager Kevin Cox said today at an event organized by RSA and the Advanced Technology Academic Research Center (ATARC).

Data protection management was formerly classified by the CDM program as the final step in the program’s four-phase effort to help put agencies on a better cybersecurity footing (the first three are asset management, identity and access management, and network security management). While the program has done away with the “phases” nomenclature in favor of emphasizing a more holistic and non-sequential approach, its pending work to bring data protection management to selected agencies indicates that some agencies are preparing to work on closing the full circle of the program’s stated aims.

From: Nextgov

By Aaron Boyd, Senior Editor, Nextgov

The process is a mix of quick but comprehensive testing up front followed by continuous monitoring through the life of the app.

***

Rather than go through each security control individually, the fast-track process allows project owners to run a penetration test—in which cybersecurity experts attempt to break the system—to establish a security baseline, then incorporate continuous monitoring of those systems into the future to ensure it remains secure.

From: MeriTalk

The Consolidated Appropriations Act–the bill agreed to by House and Senate negotiators that could avert another partial government shutdown–features more cybersecurity-related funding for the Department of Homeland Security (DHS) and its Cybersecurity and Infrastructure Security Agency (CISA), but also further obligations to report to Congress in the coming months on key security-related issues.

***

The joint explanatory statement notes that DHS will need to brief Congress on the updated timeline and acquisition strategy for the National Cybersecurity Protection System, also known as EINSTEIN, and the Continuous Diagnostics and Mitigation (CDM) program within 90 days of the bill’s passage, and on a semiannual basis going forward. And the statement specifically calls for more information about the accelerated deployment of CDM Phase 4, data protection management.

From: Federal News Network

By Amelia Brust

***

Open source products are also being used in the IC but Jones said it’s important to ensure those products are up to date. Sometimes an agency will match open source technology with commercial products to provide the necessary security enhancements.

“So continuous monitoring automation … leveraging newer technologies is absolutely the direction that we’re moving towards,” she said. “Because of those challenges, as well as the partnerships that we have with vendors and other service providers that we are depending on.”

Read Complete Article

From: FedTech

DHS’ marquee cybersecurity initiative has room to grow this year, and the agency will soon implement a risk score for other agencies.

by Phil Goldstein

This year will be a significant one for the Department of Homeland Security’s Continuous Diagnostics and Mitigation program, as more agencies adopt its tools and as DHS rolls out new ones to enhance government IT security.

A report from the Government Accountability Office, released in January, makes clear that agencies still have a way to go in deploying all of the CDM program’s tools, though progress has been made. Meanwhile, DHS is moving ahead with plans to launch a new cybersecurity risk score for agencies.

From: FCW

By Derek B. Johnson

***

“The challenge is that you’re trying to stand up a new entity amidst a government shutdown that is paralyzing your ability to do procurements, to hire people where there are fairly significant vacancy rates in [Continuous Diagnostics and Mitigation] and Einstein already,” said Cummiskey.

The cyber policy portfolio at DHS has grown significantly since the 2013 shutdown, adding new responsibilities in election security, implementing new systems and programs like CDM and Automated Indicator Sharing. But during a lapse in appropriations, operations revert to an emergency-only stance.

Read Complete Article

From: Nextgov

By Aaron Boyd, Senior Editor

The AWARE score will be based on data from agencies’ continuous monitoring tools and will give the Homeland Security Department a holistic view of the government’s cybersecurity posture.

Soon, federal agencies will have a clear idea of how they are doing on basic cybersecurity and be able to compare their posture to other agencies across the government.

The Homeland Security Department’s Continuous Diagnostics and Mitigation program, or CDM, is providing agencies with a sophisticated suite of cybersecurity tools. As those tools are put in place, the associated sensors are sending data to a centralized dashboard, giving Homeland Security and agencies a holistic view of cybersecurity throughout the federal enterprise.

From: FCW

By Derek B. Johnson

***

In an Oct. 25 memo, Mulvaney, the director of the Office of Management and Budget, lays down the law, saying, “agencies are solely responsible for the state of their cybersecurity posture and must work closely with DHS in order to accomplish CDM program goals at the agency level.”

The memo instructs agencies that they are responsible for setting up information sharing capabilities to connect to the federal dashboard established by DHS. They are also expected to be accountable for any security problems identified. If agencies want to buy or implement continuous monitoring capabilities outside of those offered through CDM DEFEND, the latest task order contract vehicle, they must first justify the decision to the program office, OMB and the federal CIO.

From: Nextgov

The new guidance also requires agencies to justify buying cyber monitoring tools that aren’t vetted by Homeland Security.

By Joseph Marks, Senior Correspondent

***

The guidance also expresses White House approval for Homeland Security’s Continuous Diagnostics and Mitigation program, or CDM, which offers suites of pre-vetted cybersecurity tools to federal agencies.

In the future, agencies that want to buy continuous cyber monitoring tools that are not authorized parts of the CDM program must first send memos justifying their decisions to the Homeland Security office that manages CDM and to the federal chief information officer, the guidance states.

From: Cloud.CIO.gov

***

Trusted Internet Connections

In 2007, M-08-05 Implementation of Trusted Internet Connections (TIC)³ was released, with the purpose of standardizing the security of external network connections used by Federal agencies while reducing the number of those external network connections. The Trusted Internet Connections policy was established when agencies maintained the majority of their systems within their agency-owned and operated networks, and when networking was constrained by physical limitations. Since then, the technology landscape has changed dramatically with the proliferation of private-sector cloud offerings, the emergence of software-defined networks, and an increase in the mobile workforce. Improvements to security are now driven by standards and secured connections instead of limited physical connections.