NIST Public Comment Announcement/SCAP

From: NIST

The August 1st, 2011 deadline for public comments on the Draft Special Publication (SP) 800-126 Revision 2, The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.2 and the Draft Interagency Report (IR) 7802, Trust Model for Security Automation Data (TMSAD) Version 1.0 is approaching.  Your feedback is important to us to insure the best possible final documents. We appreciate the thorough comments we have received to date.

If you plan to provide feedback, please submit SP 800-126 Revision 2 comments to 800-126comments@nist.gov with “Comments SP 800-126” in the subject line, and IR 7802 comments to ir7802comments@nist.gov with “Comments IR 7802” in the subject line. Public comments may also be posted to scap-dev@nist.gov.


FedRAMP delivery date fuzzy

From: FierceGovernmentIT

The launch date for the Federal Risk and Authorization Management Program, or FedRAMP, is still unclear. While speaking July 20 at the FOSE conference in Washington, D.C., Ron Ross, project leader of the FISMA implementation project at the National Institute of Standards and Technology, touted the benefits FedRAMP will deliver to agencies looking to purchase cloud computing technologies.

“It’s a great program,” he said after explaining how it will provide common requirements for cloud computing vendors and third-party vendor assessments that agencies can refer to for purchasing decisions. 


New Version of Security Automation Protocol Includes Digital Trust Model

From NIST Tech Beat: July 19, 2011

Contact: Evelyn Brown

Researchers at the National Institute of Standards and Technology (NIST) have released for public comment updated specifications for the Security Content Automation Protocol (SCAP), which helps organizations find and manage computer-system vulnerabilities more effectively by standardizing the way vulnerabilities are identified, prioritized and reported.

SCAP unites and organizes a collection of computer security specifications and reference data to support automated security programs that check vulnerabilities in information systems, such as configuration errors, missing software “patches,” misapplied security settings and many others. SCAP-based security tools are particularly valuable for securing large, complex information systems and organizations with many distributed computing systems.


SANS Institute Educates Congress on Cost Effective Continuous Monitoring

In testimony before the Oversight and Investigations Subcommittee of the House Financial Services Committee, Alan Paller of the SANS Institute emphasized the importance of continuous monitoring.  Mr. Paller also emphasized the cost-effective nature of continuous monitoring in his testimony.

The great shame is that doing security right  can cost less than we spend now to do it wrong. The waste was documented by a Senate oversight committee Chairman, who pointed out that billions are being paid to contractors, at a rate of more than $1,000 per page, for millions of pages of useless reports documenting out-of-date and generally less important security problems.


DHS official: Security vulnerabilities present in technology supply chain

From: FierceGovernmentIT

American-manufactured hardware and software purchased by the government and U.S. consumers, have at times included components preloaded with spyware and malware by unknown foreign parties, reluctantly acknowledged a Homeland Security Department official during a July 7 before the House Oversight and Government Reform Committee.

“This is one of the most complicated and difficult challenges that we have. The range of issues goes to the fact that there are foreign components in many U.S.-manufactured devices,” said Greg Schaffer, acting deputy undersecretary of DHS’s national protection programs directorate. Schaffer later added that White House and DHS have known of the threat for some time. 


As Hacks Proliferate, New Security Technology Emerges to Monitor Privileged IT Users

From: Forbes


Much like the United Kingdom has aggressively implemented Closed Circuit Television (“CCTV”) to fight crime, security software vendors are now rolling out comparable monitoring capabilities for computer networks to help detect and deter cyber-security crimes, and some are already seeing big financial exits.