Senators want timeline on update to OMB’s main IT policy

From: Federal Times


Under the current policy, established 15 years ago, agencies are required to review security controls every three years. Modern best practices call for continuous monitoring of systems, using automation tools like those offered through the Continuous Diagnostics and Mitigation (CDM) program.

Without the update, “Circular A-130 remains an obstacle to the full adoption of this modern, automated approach to cybersecurity across government,” the senators wrote.

Read Complete Article


Commerce, State Departments Take Steps to Combat Insider Security Threats

From: FedTech


Data breaches caused by federal employees, either knowingly or unwittingly, are a major concern at agencies, but security controls are not enough to tackle the threat.


“If you get too restrictive, shadow IT pops up,” Westervelt says. “That could be something as simple as an employee bringing in a cellphone and using it as a mobile hotspot to bypass the organization’s network, which could introduce a lot of different threats.”

Common tools for preventing and detecting insider threats include privileged account credentials, tamper-proof auditing programs and continuous monitoring tools that track employee behavior. Essentially, agencies must restrict access to sensitive data, track who accesses it, and pinpoint and investigate anomalous behavior.


NASA needs permanent leadership to improve IT security

Editor’s Note: For a case study of NASA’s leadership in continuous monitoring, see Federal Cybersecurity Best Practices: FISMA Continuous Monitoring.

From: FedScoop

NASA’s risk management and security architecture “will continue to struggle” without a permanent security officer, according to the agency’s inspector general.

By Jeremy Snow

NASA’s lack of a permanent security officer has hurt the agency’s ability to plan and improve its IT, according to an internal watchdog.

“Without a comprehensive information security program plan, we believe NASA will continue to struggle to identify the resources needed to implement requirements for its information security program, including the risk management framework and information security architecture,” Inspector General Paul Martin said in the report released last week.


Databases Remain Soft Underbelly Of Cybersecurity

From: InformationWeek/DarkReading

Most enterprises still don’t continuously monitor database activity.

Despite the fact that databases still hold some of the most valuable data targeted by cyberthieves, the typical organization today lacks visibility into who is accessing their structured data stores and when.

According to a new survey out by Osterman Research of some 200 enterprises, most organizations still don’t assess database activity continuously and lack the capability to identify database breaches in a timely fashion. The study, commissioned by DB Networks, found the top three database security issues among enterprises were tracking compromised credentials; the potential for the organization to experience a major data breach; and the inability of the organization to identify data breaches until it was too late to mitigate damage.


Is the FCC Inviting the World’s Cyber Criminals into America’s Living Rooms?

Editor’s Note: Cross-posted from OIRA Watch.

In October 2012, the Chairman and Ranking Member of the House Intelligence Committee issued a joint statement warning American companies that were doing business with the large Chinese telecommunications companies Huawei and ZTE to “use another vendor.”

The bipartisan statement cited the Intelligence Committee’s Report that

“highlights the interconnectivity of U.S. critical infrastructure systems and warns of the heightened threat of cyber espionage and predatory disruption or destruction of U.S. networks if telecommunications networks are built by companies with known ties to the Chinese state, a country known to aggressively steal valuable trade secrets and other sensitive data from American companies.”


Congressman sees broader role for DHS in state and local cyber efforts

From: GCN

By Troy K. Schneider

Cyberthreats are expanding and evolving at such a rate that many state and local governments are struggling to keep up.  Rep. Will Hurd (R-Texas) would like to see the Department of Homeland Security do more to help.


Hurd, a computer science major and former CIA officer who now chairs the House Oversight and Government Reform Committee’s IT Subcommittee, introduced the State and Local Cyber Protection Act in 2015.  That bill would require DHS’ National Cybersecurity and Communications Integration Center to help state and local agencies identify both system vulnerabilities and possible protections, provide technical assistance to deploy continuous diagnostic and mitigation services as well as offer training to their personnel.


GAO identifies security flaws in Health Connect

From: Brattleboro Reformer

By Erin Mansfield


“CMS has not fully documented procedures that define its oversight responsibilities,” the study says. “Further, while CMS has set requirements for annual testing of a subset of security controls implemented within the state-based marketplaces, it does not require continuous monitoring or annual comprehensive testing.”

“Until CMS documents its oversight procedures and requires continuous monitoring of security controls, it does not have reasonable assurance that the states are promptly identifying and remediating weaknesses and therefore faces a higher risk that attackers could compromise the confidentiality, integrity, and availability of the data contained in state-based marketplaces,” the report said.


Senate Dem queries OMB over cyber acquisition

From: FCW

By Sean Lyngaas


In a letter to OMB Director Shaun Donovan, Carper expressed concern that “flaws in the federal acquisition process can limit the tools agency network defenders can obtain.”

Carper wants to know within a month how OMB is encouraging agencies to use several existing acquisition authorities and programs, including the crucial continuous diagnostics and mitigation initiative, a cybersecurity contract vehicle with a $6 billion ceiling.

Read Complete Article


Federal Cybersecurity by the Numbers: The Biggest Spenders and the Biggest Threats

From: Nextgov

By Jack Moore and Caitlin Fairchild


The IG grades are based on reviews of agencies security processes, including continuous monitoring of cyberthreats, identity and access management, incident response and other areas.


Why did governmentwide scores lower? Because of new more stringent scoring requirements, which showed that while most agencies have continuous monitoring programs in place, they’re not very effective, according to the report.

Read Complete Article


[scap-dev] SCAP Validation Test Suite 1- Final

From: SCAP Validation Team, NIST SCAP Validation Program

SCAP Community Members,

The SCAP 1.2 validation test suite version 1- is now available for download from SCAP Validation Program Publications and Resources page (http://scap.nist.gov/validation/resources.html). The direct URL is https://scap.nist.gov/validation/downloads/SCAP1.2ValidationTestContent_1- This release candidate provides support for the NIST IR7511 revision 4 and includes the following major changes:

  • Support for additional platforms: Microsoft Windows 8.1, Windows Server 2012 R2, Red Hat Enterprise Linux 6, and Red Hat Enterprise Linux 7.
  • New test content for the following requirements: SCAP.R.2910, SCAP.R.2920, SCAP.R.2930, SCAP.R.2940, SCAP.R.3005, SCAP.R.3010, and SCAP.R.3030
  • Added new OVAL test types

Older posts «