NIST SP 800-137

From: FedScoop

Written by Carten Cordell

***

In a July 24 comment on its GitHub site, 18F officials said they are developing a plan entitled “Project Boise” to overhaul the authority to operate process by which an agency determines that products meet the security requirements needed to operate on federal IT systems.

***

To develop new policies, the 18F team will collaborate with stakeholders like the Department of Homeland Security’s Continuous Diagnostics and Mitigation group, the Office of Management and Budget, the White House’s Office of American Innovation, the National Institute of Standards and Technology, and FedRAMP.

From: ReadItQuik

by Timothy Crosby

***

In a Harvey Nash/KPMG survey, 4,500 CIOs and technology leaders from around the world indicate that the insider threat is the fastest growing security risk of all. Employees and contractors, who are often provided with access to a company’s network infrastructure without proper risk management training, pose a significant risk to businesses. While some employees act maliciously against their organization, many cybersecurity breaches are due to negligence or inadvertent error. In fact, 60% of businesses admit their employees have no knowledge of security risks.

Read Complete Article

From: FederalNewsRadio.com | 1500am

By Jason Miller

***

The job description also discusses the role of the federal CISO, opening the door that the administration plans on hiring one.

In describing the offices the federal CIO would oversee, the description stated:

From: FCW

By Ben Berliner

***

Sritapan also discussed changes to the Continuous Diagnostics and Mitigation program, which at present does not address mobile devices, although it does cover other endpoints such as desktops and laptops.

***

That’s not yet the case with mobile devices, Sritapan said. “Guess what? If you add mobile to the cloud, you don’t have to do anything.” Unlike laptops and desktops, there are no additional security measures when a mobile device is added. That is likely to change, he said, as “CDM is actually looking to include mobile going forward.”

From: FedScoop

Carten Cordell

The General Services Administration gave agencies more detail about its highly anticipated new special item number for the governmentwide Continuous Diagnostics and Mitigation program Monday.

***

GSA and DHS officials hosted a webinar Monday on what to expect from the forthcoming SIN. Here are the important takeaways:

Products need DHS approval to appear on the SIN

Read Complete Article

From: FCW

Kaspersky axed from governmentwide contracts

By Adam Mazmanian

***

Kaspersky has a fairly limited profile in the federal space as a contractor. Its products are in use or have been used at the Bureau of Prisons, the Consumer Product Safety Commission and the Comptroller of the Currency at Treasury, but overall spending on the company’s products by the federal government is far below $1 million, according to contracting data. The company’s products do not appear on GSA’s Continuous Diagnostics and Mitigation vehicle, a set of tools and services from vendors vetted by the Department of Homeland Security to provide cybersecurity services to federal agencies.

From: FederalNewsRadio.com

By Nicole Ogrysko

***

From: Security Magazine

Eighty-five percent of federal IT managers say their agency is more focused on combating insider threats today than one year ago, and most are formalizing their efforts through formal insider threat programs, according to MeriTalk’s 2017 Federal Insider Threat Report, underwritten by Symantec.

***

The report notes that agencies that have lost data to insider incidents are less likely to have basic security measures – incident response systems, continuous monitoring, data loss prevention – in place, and less than half of agencies have increased encryption adoption, enabled real-time activity monitoring or enforced separation of duties policies following increasing use of cloud-based systems. Fifty-nine percent of federal IT managers surveyed say that the increasing number of cloud-based systems has made insider threats more difficult to detect.