GSA official: Agencies will likely customize FedRAMP

From: FierceGovernmentIT

The General Services Administration is getting closer to debuting its Federal Risk and Authorization Management Program, or FedRAMP, but that does not necessarily mean the cloud computing cybersecurity standard will fulfill every agencies’ needs, said a GSA official June 29 at an AFCEA Bethesda event in Washington, D.C.

“It would not surprise me if each agency had some customization,” said Bill Lewis, director of the portfolio management division in GSA’s federal acquisition service. “But if the time to get A&A or C&A on the cloud service is decreased [with the help of] FedRAMP, that will have fulfilled the purpose of it.”

Why Is NIST Not Requesting Additional Public Comments on SP 800-137?

Late last year, NIST’s schedule for developing their continuous monitoring guidance document called for three rounds of public comment on evolving drafts of SP 800-137.   As FISMA Focus highlighted, the second public draft of SP 800-137 was cancelled in January.  In April, FISMA Focus noted that even the planned final public draft of the document appeared to be cancelled along with the rest of the schedule for the document’s development.

NIST is now reporting that they expect the final version of SP 800-137 by the end of September 2011.  As NIST explains, they “are working through the public comments with our DoD and Intelligence Community partners and are on target for a final version by the end of the fiscal year.”

Final version of industrial control systems security guide published (SP 800-82)

From: NIST

The National Institute of Standards and Technology (NIST) has issued the final version of its Guide to Industrial Control Systems (ICS) Security (SP 800-82),* intended to help pipeline operators, power producers, manufacturers, air traffic control centers and other managers of critical infrastructures to secure their systems while addressing their unique performance, reliability, and safety requirements.

Finalized after three rounds of public review and comment, the guide is directed specifically to federally owned or operated industrial control systems (ICS), including those run by private contractors on behalf of the federal government. Examples include the mail handling operations, air traffic control towers, and some electricity generation and transmission facilities and weather observation systems. However, the guide’s potential audience is far larger and more diverse than the federal government, since about 90 percent of the nation’s critical infrastructure is privately owned.

Public-Private CyberCooperation: The Cost-Benefit Challenge

Cooperation between federal cybersecurity authorities and privately owned critical infrastructure was the focal point of a Government Executive/SANS Institute briefing sponsored by Northrup Grumman. Extending federal cybersecurity oversight and regulation to private sector components through legislation was a point of particular focus.  

Although there was general agreement by panelists from the Executive Branch and Congress on the need to modernize the government’s cybersecurity regulatory authority, no specific solutions were endorsed.  One panelist noted that expanding “FISMA reporting which sucks money out of the economy” would not be beneficial.  Another panelist discussed the possibility of applying cost-benefit analysis to potential regulatory requirements.

Vivek Kundra to step down as chief information officer

From: Washington Post

By Ed O’Keefe

Vivek Kundra, the federal government’s first chief information officer, plans to leave his position in August for a fellowship with Harvard University, the White House announced Thursday.

Kundra, who had served in a similar role with the D.C. government, is one of several administration officials and West Wing staffers to leave government service for academia.

In a statement Thursday, Office of Management and Budget Director Jacob J. Lew said Kundra helped the administration identify more than $3 billion in cost savings by transitioning more government services online and by launching a government-wide effort to merge or consolidate the use of computer data centers.