GSA Readies FedRAMP

From: FedTech

By Wylie Wong

The General Services Administration expects to finalize and release security standards for government cloud computing this fall.

The interagency effort, called the Federal Risk and Authorization Management Program, provides a uniform set of baseline security controls that government or commercial cloud providers must meet to offer services to agencies. It also outlines initial requirements for continuous monitoring of cloud services to safeguard data and includes a proposed governance model for the government to assess and authorize cloud services.

Obama administration not against cybersecurity liability protection, says McConnell

From: FierceGovernmentIT

The Obama administration isn’t against the idea of extending liability protection as part of private sector adoption of a federally-mandated cybersecurity framework, said Bruce McConnell, a senior Homeland Security Department cybersecurity advisor.

The White House unveiled in May a cybersecurity proposal that would require operators of critical infrastructure to adopt cybersecurity measures against which they would be audited regularly.

Liability protection is not in the proposal, McConnell acknowledged, “but that’s not because we’re opposed to it,” he said while speaking July 21 during a panel hosted by the Brookings Institution in Washington, D.C.

Protecting Critical Infrastructure by Securing Information Technology

From: The Blog @ Homeland Security

power grids to trading floors, every aspect of the Nation’s critical infrastructure is dependent on information technology to operate. That’s why securing critical IT infrastructure is so important to our homeland and economic security, public health and safety, and public confidence.

Nationwide Cyber Security Review (NCSR) Assessment: DHS Information Collection Request

The Deparatment of Homeland Security is submitting an Information Collection Request (ICR) to OMB for review under the Paperwork Reduction Act (PRA).  Under the PRA, DHS will not be allowed to collect the information without OMB approval.

According to DHS:

Per House Report 111-298 and Senate Report 111-31, Department of Homeland Security Appropriations Bill, NPPD, in cooperation with FEMA and relevant stakeholders, shall develop the necessary tools for all levels of government to complete a cyber network security assessment so that a full measure of gaps and capabilities can be completed. The NCSR will be conducted via the United States Computer Emergency Readiness Team (US-CERT) Secure Portal. The assessment stakeholders will be states and major urban areas. The NCSR is a voluntary self assessment designed to measure cybersecurity preparedness and resilience. Through the NCSR, CSEP will examine relationships, interactions, and processes governing IT management and the ability to effectively manage operational risk.

SANS Institute Educates Congress on Cost Effective Continuous Monitoring

In testimony before the Oversight and Investigations Subcommittee of the House Financial Services Committee, Alan Paller of the SANS Institute emphasized the importance of continuous monitoring.  Mr. Paller also emphasized the cost-effective nature of continuous monitoring in his testimony.

The great shame is that doing security right  can cost less than we spend now to do it wrong. The waste was documented by a Senate oversight committee Chairman, who pointed out that billions are being paid to contractors, at a rate of more than $1,000 per page, for millions of pages of useless reports documenting out-of-date and generally less important security problems.