Continuous monitoring: Closer than you think

From: FCW

By Patrick D. Howard

If you were offered free tires for your car or a tune-up, which would you take? One seems far more valuable than the other, but the answer would depend on the car’s needs. If your current tires are perfectly adequate, then the tune-up for your misfiring engine would be the smarter choice.

That question simplifies the complex choices federal agencies face with the “free” assistance offered by the Department of Homeland Security for its Continuous Diagnostics and Mitigation (CDM) program.


DHS to award continuous monitoring task orders

From: Federal Times

As director of the Federal Network Resilience Division at the Department of Homeland Security, John Streufert oversees a $6 billion effort to secure public-sector networks against cyber threats. That effort, called the Continuous Diagnostics and Mitigation (CDM) program, aims to apply a strategic sourcing acquisition strategy toward the purchase of network sensors, dashboards, expertise and a variety of services to identify and fix the worst vulnerabilities threatening the dot-gov enterprise. Streufert provided an update on that program as the keynote speaker at a June 11 event hosted by Federal Times and its sister publication C4ISR & Networks. Following are edited excerpts of his address and an interview with Federal Times Editor Steve Watkins:


(No title)

From: Infosecurity-Magazine.com

Site forced to close after attacker infiltrated its EC2 control panel.

Popular code hosting service Code Spaces has been forced to close after an attacker managed to access its Amazon Web Services EC2 control panel and delete most of its customers’ data.

A note on what remains of the Code Spaces site explained that the events leading up to its demise began with a “well orchestrated” distributed denial-of-service (DDoS) attack on Tuesday.

The still-unidentified assailant was then discovered to have gained access to the firm’s EC2 control panel and left a series of messages with a contact Hotmail address.


NIST Security Guidance Revision: Prepare Now

From: InformationWeek/Government

Vincent Berk

NIST 800-53 Revision 5 will likely put more emphasis on continuous monitoring. Don’t wait until next year to close your security gaps.

The National Institute of Science and Technology’s Special Publication 800-53 aims to raise the bar and set a standard of security for federal government information processing systems. As NIST works on Revision 5 of the document, which is expected to come out in April 2015, it will need to reverse the sweeping generalizations made in Revision 4 regarding the nature of the threat against data. Network defense is not a spectator sport — it must be engaged in continuously and consciously.


DHS readies next CDM task orders

From: Federal Times


The Department of Homeland Security is gearing up to issue new task orders for its Continuous Diagnostics and Mitigation program, ensuring that more agencies can obtain the necessary tools to improve the security and resilience of their networks.

The contracts will supply solutions under competitive task orders for 23 agencies within the next 20 weeks, according to John Streufert, director of Federal Network Resilience, the division within DHS taking the lead in the CDM effort.


How to Safely Reduce Security Controls

From: BankInfoSecurity

Freddie Mac Adopts Enhanced, Hybrid Risk Mgt. Framework


Continuous monitoring is helping Freddie Mac reduce the number of security controls it uses to safeguard its information systems, says CISO Patricia Titus, who summarizes lessons that can apply to government and private-sector entities.

Titus says continuous monitoring assures that the controls the Federal Home Loan Mortgage Corp. selects adequately protects its information assets. That, she says, means the government-sponsored enterprise, which buys mortgages on the secondary market and sells them as mortgage-backed securities, can eliminate some security controls deemed unnecessary.


Silicon Valley Mines the Federal Regulatory Data Base

From: Center for Regulatory Effectiveness via PR Newswire

WASHINGTON, June 4, 2014 /PRNewswire-USNewswire/ — Regulations.gov is the keeper of some of the nation’s most precious data—all the information regarding the most important regulations issued by all federal agencies. The information includes copies of proposed rules, copies of final rules, supporting data and most importantly all the comments submitted to federal agencies from the public.

This important function is not housed in a particular agency and it has neither a well-defined management structure nor a yearly budget; instead this important function is managed by a multi-headed interagency agency council which has to pass the hat to keep the operation running.


Supplemental Guidance on Ongoing Authorization: Transitioning to Near Real-Time Risk Management,

From: NIST

A new NIST Computer Security Division publication, Supplemental Guidance on Ongoing Authorization: Transitioning to Near Real-Time Risk Management, has been posted at http://csrc.nist.gov/publications/nistpubs/800-37-rev1/nist_oa_guidance.pdf. This publication responds to a requirement from the Office of Management and Budget (OMB) in Memorandum M-14-03, Enhancing the Security of Federal Information and Information Systems, and provides clarifying and amplifying guidance on the application of current NIST guidelines to the security authorization process to facilitate the transition to ongoing authorization. There will be no public comment period for this publication.