App And Database Security Are Two Halves Of A Whole

From: Dark Reading

By Ericka Chickowski

The yin and yang of data security, application security and database security are two halves of a whole, different but still dependent on one another to reach true completion. When they fail together, attack methods such as SQL injection have a far greater impact on an organization. In order to limit the scope of attacks, developers and DBAs both need to acknowledge their role in the process and work together to ensure that web applications aren’t exposing sensitive databases.

This starts by understanding how much the current web app phenomenon has opened up once-closed databases.


Agencies struggle with continuous monitoring mandate

From: 1500AM

Federal cybersecurity managers are unprepared and struggling to implement continuous monitoring.

A recent survey of more than 200 federal cyber managers found only 27 percent are currently putting the capabilities in place to analyze their computer networks in real time.

The Office of Management and Budget set a Sept. 30, 2012 deadline for agencies to have these functionalities in place. Agencies also must put all their data in the CyberScope tool run by the Homeland Security Department. OMB set a Nov. 15 deadline to start to use CyberScope.


FedRAMP and Transparency

Transparency in the operation of FedRAMP was a key theme at GSA’s December 16th Industry Event.  GSA and NIST officials emphasized that FedRAMP program would operate transparently and that applicable standards and requirements will be public.  The officials also emphasized that the program’s “do once, use many times” framework for security assessment, authorization and continuous monitoring was designed to avoid redundant security assessments, thus saving “significant cost, time and resources.” 

The Center for Regulatory Effectiveness, operating in its capacity as a Regulatory Watchdog, will be scrutinizing and reporting on the rollout and implementation of FedRAMP by all participants in the process.  CRE may take additional actions, if warranted, to ensure that FedRAMP achieves its economic and security objectives.


Government Security Practitioner Survey: Countdown to Continuous Monitoring

A study from Dimensional Research and RedSeal Networks found that:

  • “A majority of agencies will fail to comply with 2012 federal security requirements;” and
  • “Only 22% of federal agencies have already deployed mandated continuous monitoring solutions as ordered.”

Moreover, 55% of agencies “stated they do not have the tools necessary to meet the OMB directive or are unaware if they do, making compliance unlikely.”

It should be noted, however, that an “overwhelming majority of respondents at 64% indicated the the continuous monitoring with increased measurement and use of seceurity metrics will improve overall security management.” [Emphasis added]


Deltek: Cybersecurity spending should grow

From: Washington Post

By Deniece Peterson

Between 2011 and 2016, federal spending on information technology is expected to slow dramatically. One exception? Cybersecurity spending.

Agencies have little choice but to beef up budgets. The number of federal cybersecurity incidents reported to the Department of Homeland Security’s U.S. Computer Emergency Readiness Team has jumped 659 percent since 2006.

The rise in incidents has caught the attention of policymakers, who have added new security requirements in legislation such as the Homeland Security Cyber and Physical Infrastructure Protection Act. Those requirements have worked their way into agency solicitations and into the federal effort to consolidate data centers, which the Office of Management and Budget has said should “increase the overall IT security posture of the government.”


The Critical Role of Civil Servants

Historically, federal civil servants played a critical role in developing and implementing federal policy.  The attached article in the Administrative Law Review, published by the American Bar Association in conjunction  with the Washington College of Law of the American University, sets forth in Section D on page 54  the critical role career federal employees had in the establishment of centralized regulatory review in the White House Office of Management and Budget.


FedRAMP Launched

The General Services Administration has launched it’s much-awaited FedRAMP cybersecurity initiative for cloud-based products and services. 

Federal CIO Steven VanRoekel’s Memorandum for Federal Chief Information Officers, Security Authorization of Information Systems in Cloud Computing Environment, is attached below.  Also attached below is Mr. VanRoekel’s related slide presentation, Federal Information Technology Doing More with Less Through Strategic Investments.

More information may be found at

FISMA Focus will be tracking  and reporting on FedRAMP’s ramp-up. 

The following is from GSA:


NASA OIG Faults Agency’s Continuous Monitoring

The OIG Audit Report found that NASA has “made progress in transitioning to a continuous monitoring program.”  However, the agency still has a significant amount of work to accomplish.  Specifically,

NASA needs to (1) create and maintain a complete, up-to-date record of IT components connected to Agency networks; (2) define the security configuration baselines that are required for its system components and develop an effective means of assessing compliance with those baselines; and (3) use best practices for vulnerability management on all its IT systems.

The report recognized that,


Another View of the State Department/IG Report

From: Government Executive

ANALYSIS Looking the Wrong Way

By Franklin S. Reeder

When agency watchdogs miss the point, they stifle innovation, increase risk and perpetuate waste.

Agency inspectors general and auditors at the Government Accountability Office go to great lengths to promote efficiency in federal operations by detecting fraud, waste and mismanagement. Their findings are among the most power-ful catalysts for bringing about change for the good in government. But when they are wrong, that power to enable rapid action becomes in itself a source of waste and mismanagement. All too often, audit reports punish innovators because they are based on guidelines and checklists that fail to distinguish between the important and the trivial. As a result, these assessments can compel agencies to spend scarce resources on the wrong things.