NIST SP 800-137

From: CSO | Opinion

By Gaurav Pal, Contributor

Companies supplying products and services to the US Department of Defense must meet 110 security requirements specified in NIST SP 800-171 or risk losing contract awards through a new set of risk scoring guidelines. The new rules demonstrate the government’s determination to insist on strong cybersecurity practices among its business partners and drive compliance.

The US Department of Defense issued new guidance on how it might penalize business partners that do not adequately adhere to new security rules codified in NIST SP 800-171.

***

From: FCW

By Derek B. Johnson

***

William Evanina, director of the National Counterintelligence and Security Center, told attendees at an April 18 event hosted by the Aspen Institute that ODNI hopes to have new guidance out in the next 30 to 60 days that refines the questions background investigators are required to ask about applicants and condenses the front end of the clearance process so that candidates can start work while newer technologies like continuous monitoring conduct more granular analysis.

***

From: Nextgov

By Joseph Marks, Senior Correspondent

SAN FRANCISCO – A new cybersecurity strategy due out within days from the White House envisions the Homeland Security Department providing cybersecurity services directly to critical infrastructure providers, such as hospitals, airports and energy companies.

The system, which Homeland Security Secretary Kirstjen Nielsen described as “security as a service,” would be a major step forward for the department, which, historically, has helped critical infrastructure mostly by sharing cyber threat information and helping them respond after a breach has already occurred.

Read Complete Article

From: FCW

By Mark Rockwell

***

DHS is seeking more than $644 million just for a mix of programs to support federal agency cybersecurity, including the Continuous Diagnostics and Mitigation program and the network shield system known as EINSTEIN.

Nielsen told the House Appropriations Homeland Security subcommittee Chairman Rep. John Carter (R-Texas) that she was looking “at maturing the department.” That includes continuing efforts to communicate across agencies and collaborate on issues such as cybersecurity.

Read Complete Article

From: Nextgov

The department isn’t effectively managing continuous monitoring, the auditor said.

By Joseph Marks, Senior Correspondent

The Homeland Security Department isn’t doing enough to secure classified information on its intelligence systems, according to a report summary out Wednesday from the department’s inspector general.

The tools that continuously monitor those systems for cyber threats aren’t interoperable with each other, the auditor found.

Read Complete Article

From: BiometricUpdate.com

Anthony Kimery

There have been a number of serious insider breaches at the Federal Deposit Insurance Corporation (FDIC), including a former “employee” who “copied “highly confidential components of three sensitive resolution plans onto an unencrypted USB storage device and took the information upon abruptly resigning,” according to an Office of Inspector General (OIG) report in the Government Accountability Office (GAO) auditor’s report on the results of GAO’s audits of the 2017 and 2016 financial statements for the two funds FDIC administers—the Deposit Insurance Fund (DIF) and the Federal Savings and Loan Insurance Corporation (FSLIC) Resolution Fund (FRF).

From: FCW

By Troy K. Schneider

The Office of Management and Budget on April 6 released a draft of new guidance for governmentwide identity, credential and access management (ICAM) and is seeking public comment for the next 30 days.

“Agencies must be able to identify, credential, monitor, and manage user access … across their enterprise in order to ensure secure and efficient operations,” the draft memo states. “In particular, how agencies conduct identity proofing, establish digital identities, and adopt sound processes for authentication and access control will significantly impact the security of their digital services.”

Read Complete Article

From: FCW

By Derek B. Johnson

***

As a potential workaround, DHS is exploring other ways to monitor connections from cloud-based systems. Sean Connelly, cybersecurity architect at DHS, indicated that in certain areas, cybersecurity programs like EINSTEIN and Continuous Diagnostics and Mitigation may be better suited for monitoring cloud-based traffic.

“How TIC evolves and where there is data that is going to be architected in the cloud, there’s expectations that the CDM program would be able to monitor that data…probably better than TIC can at this point,” said Connelly.

Read Complete Article