IG Evaluation of DHS Information Security Program in FY 2016 Found Deficiencies

From: HomelandSecurity.US

Despite the progress the Department of Homeland Security (DHS) made in taking actions to strengthen its information security program, not all components in Fiscal Year 2016 “consistently follow[ed] DHS’s policies and procedures to maintain current or complete information on remediating security weaknesses [in a] timely [manner],” according to a new DHS Inspector General (IG) audit report. “Components operated 79 unclassified systems with expired authorities to operate,” the IG found.


Continuing, the IG said, “We also identified deficiencies related to configuration management and continuous monitoring. Without addressing these deficiencies, the department cannot ensure that its systems are adequately secured to protect the sensitive information stored and processed in them.”


DHS tackles backlog of unauthorized IT systems

From: FCW

By Mark Rockwell

The Department of Homeland Security’s inspector general patted the agency on the back for its progress in cybersecurity training and stronger security practices, but it said the agency is still fielding IT systems without required authority to operate certification and has some continuous monitoring risk management issues to address.

The IG’s report said the agency had taken “significant” steps to get behind DHS Secretary Jeh Johnson’s January 2016 memo requiring component agencies to step up their cybersecurity measures, including training for employees and contractors, using two-factor authentication for its classified network and reporting security metrics.


NIST Issues Draft Update to the Cybersecurity Framework

From: JDSupra Business Advisor

by Patrick Fowler  | Snell & Wilmer

On January 10, 2017, as the Obama administration draws to a close, the National Institute of Standards and Technology (“NIST”) released a long-awaited draft version 1.1 of its ground-breaking Framework for Improving Critical Infrastructure Cybersecurity.  This draft revision builds upon the initial “version 1.0” of the cybersecurity framework, which NIST released in February, 2014, pursuant to an Executive Order issued by President Obama in February 2013 as part of his cybersecurity agenda.  The initial framework was the result of a collaborative process involving industry, government and academia, supervised by NIST.  The framework is a significant part of the federal government’s cybersecurity policy for improving the protection of critical parts of the government and industry from cyber attacks


Tennessee Valley Authority Makes Cybersecurity Top Priority

From: Government Technology

TVA employees are required to take cybersecurity training on an annual basis to ward off phishing schemes that may seek passwords or other sensitive information.

by Adam Smith, The News Courier (Athens, Ala.)

“As the nation’s largest power provider, we work around the clock to monitor our network to protect it from cyber threats,” he said. “… We perform continuous monitoring, penetration testing and vulnerability assessments.”


“Our critical infrastructure systems are housed within a specific network and are isolated from the corporate network. You have to have special authorization to log into it and it’s not attached to the internet,” he said. “We have a fence between personal computers and the grid; they don’t touch.”


Russia’s New Information Security Doctrine: Guarding a Besieged Cyber Fortress

From: Center for Security Studies

By Katri Pynnoeniemi and Martti Kari

This article was originally published by the Finnish Institute of International Affairs (FIIA) on 20 December 2016.

Russia´s new Information Security Doctrine follows the line adopted in previous strategic documents whereby Russia is perceived as a besieged fortress. The doctrine identifies a number of external threats to Russia’s information space and calls for intensified monitoring of the Russian segment of the internet, Runet.