NIST SP 800-137

From: Defense One

Aliya Sternstein

The Obama administration has released a draft of computer security protocols for companies that operate key systems, such as chemical plants and the electric grid. The document admittedly does not address privacy issues.

***

For protection against insider attacks, the company should control who has access to certain physical facilities that house virtual operations, as well as control remote access to internal networks via smartphones and cloud applications. And the firm should tie cybersecurity procedures to human resources procedures during background checks and employee transfers.

From: FierceGovernmentIT

By David Perera

State governments can make use of the Homeland Security Department’s  continuous monitoring blanket purchase agreement and may want to do so in  conjunction with managed security services available through the DHS-recognized  Multi-State Information Sharing and Analysis Center, says a paper from the  National Governors Association.

The Sept. 26 paper  (.pdf) makes a number of recommendations that states could take to immediately  improve their cybersecurity posture, such as establishing a strong state  agencywide cybersecurity governance structure “with some degree of central  authority.”

Read Complete Article

Editor’s Note:  CRE’s comments on the CAESARS Framework Extension (2nd Draft); NIST Interagency Report 7756 are available here.

From: InformationWeek/Government

Primary tool for defending government information systems is inadequate in the battle against cyber threats and attacks, federal IT security managers say.

Richard W. Walker

The primary statutory framework for defending government information systems — the Federal Information Security Management Act (FISMA) — is falling short in the battle against cyber threats and attacks, creating a compelling need for new strategies, such as continuous monitoring, to improve security at agencies, federal cybersecurity professionals say.

From: FederalNewsRadio.com 1500 AM

By Jason Miller

Legislative and budgetary challenges are hindering the Homeland Security  Department’s ability to implement the continuous diagnostic and monitoring  program.

Suzanne Spaulding, the nominee to be the deputy undersecretary of the National  Protection and Programs Directorate (NPPD), told Senate lawmakers Wednesday that  DHS is working toward CDM implementation, but “there are some departments who have  legal constraints that get in the way of allowing DHS to move forward with CDM.”

After the Senate Homeland Security and Governmental Affairs hearing, a DHS  official offered more details about those legal constraints.

From: GCN

Posted by William Jackson

Priorities for securing government’s IT infrastructure for the coming fiscal year include defending against insider threats posed by unmanaged privileged access and expanded continuous monitoring to address the growing complexity of outsider threats. But these issues could be dwarfed by the challenge of just keeping the lights on come Oct. 1.

“Security is probably the biggest issue we’ve got, because it underlies so much of the other things we are trying to do,” said Paul Christman, public sector vice president at Dell Software. “It can’t go on hiatus.”

From: Asia Pacific FutureGov

By guest writer Dr Andy Chun, CIO, City University of Hong Kong

The ‘Security Information and Event Management (SIEM) Implementation’ project at the City University of Hong Kong (CityU) is a major enterprise IT security enhancement project. Costing roughly USD half a million, the project aimed at tackling crucial information security challenges that are commonly faced by universities around the world.

From:  National Cybersecurity Center of Excellence at the National Institute of Standards and Technology

Continuous Monitoring: Software Asset Management

The National Cybersecurity Center of Excellence (NCCoE) has drafted the first  of several building blocks addressing continuous monitoring. You can download the draft below. The draft building block is published here so that interested members of the public can comment. The document will be revised accordingly.

Continuous Monitoring Building Block: Software Asset Management (PDF)

The comment period ends on October 14, 2013.

From: FCW

By Frank Konkel

Big data is all around us. It’s helping fast-food chains and retailers keep customers happy, and it’s integral to the now very-public surveillance efforts employed by the intelligence community.

But for federal agencies, one of the most attractive uses of big data and the accompanying analytics it allows for may be in the realm of cyber defense.

While the cybersecurity measures most federal agencies employ continue to improve, statistics show an increasing prevalence of large-scale data breaches in the private sector that almost certainly translates to their government counterparts.

From: BankInfoSecurity

States, Local Governments Can Tap Into $6 Billion Program

By Eric Chabrow

John Streufert, the DHS director overseeing the rollout of a federal continuous diagnostic initiative to mitigate IT systems vulnerabilities, expects that many state and local governments will participate in the program.

Known as the Continuous Diagnostic and Mitigation program, the Department of Homeland Security initiative offers agencies at all levels of government the ability to purchase discounted hardware, software and services to assess cybersecurity risks and present those risks in a continuously updated dashboard.

From: Defense One

Aliya Sternstein

The Obama administration has released a draft of computer security protocols for companies that operate key systems, such as chemical plants and the electric grid. The document admittedly does not address privacy issues.

Final guidelines to protect the networks that run critical infrastructure are due in February 2014 by executive order. This week’s preview is timed to coincide with a workshop in Dallas next week, where government officials and representatives from affected sectors will flesh out the voluntary procedures, a federal official said.