GAO: FedRAMP Lacks Metrics for Communicating Best Practices

GAO has released a study of four e-government projects including the Federal Risk and Authorization Management Program (FedRAMP). 

The GAO report, which included a presentation used for briefing the staff of the Senate Committee on Homeland Security and Governmental Affairs, explained that FedRAMP “has made progress toward developing a governmentwide risk and authorization management program to provide joint security assessment, authorizations, and continuous monitoring of cloud computing services.”

GAO found that FedRAMP had “defined performance metrics addressing the initial adoption of the program by agencies, such as number of customers, but metrics related to goals such as improving consistency and fostering cross-agency knowledge sharing and  communication of best practices had not yet been defined.”

OMB: FedRAMP is “Imminent” is reporting that Office of Management and Budget’s deputy administrator for e-government and IT has told them that the “cloud security program, known as FedRAMP, is ‘imminent.'”  The official stated that the program is “a high priority for new federal CIO Steve VanRoekel” although they did not offer “a specific timetable on completion.”

The complete FederalNewsRadio story may be found here.


New OMB FISMA Reporting Instructions (Cyberscope Reporting)

OMB has released Memorandum 11-33, “FY 2011 Reporting Instructions for the Federal Information Security Management Act and Agency  Privacy Management.”  Building on the instructions contained in last year’s Memorandum on FISMA report, M-10-28, the FY 2011 White House document states:

agencies are required to adhere to Department of Homeland Security (DHS) direction to report data through CyberScope. This shift from the once-a-year FISMA reporting process to a monthly reporting of key metrics through CyberScope allows security practitioners to make decisions using more information delivered more quickly than ever before.

Draft NIST SP 800-30 Rev. 1 Available for Review and Comment

From: NIST

The National Institute of Standards and Technology (NIST) announces the initial public draft of Special Publication 800-30, Revision 1, Guide for Conducting Risk Assessments. Special Publication 800-30, Revision 1, is the fifth in the series of risk management and information security guidelines being developed by the Joint Task Force, a joint partnership among the Department of Defense, the Intelligence Community, NIST, and the Committee on National Security Systems. The partnership, under the leadership of the Secretary of Defense, the Director of National Intelligence, and the Secretary of Commerce, continues to collaborate on the development of a unified information security framework for the federal government to address the challenges of protecting federal information and information systems as well as the Nation’s critical information infrastructure.
In today’s world of complex and sophisticated threats, risk assessments are an essential tool for organizations to employ as part of a comprehensive risk management program. Risk assessments can help organizations:

IT Security Automation Conference scheduled for Oct 31-Nov 2.

From: NIST

The Seventh Annual IT Security Automation Conference, co-hosted by the National Institute of Standards and Technology (NIST), will focus on the breadth and depth of principles and technologies designed to support computer security automation for organizations in both the public and private sectors. The conference will be held Oct.31 through Nov. 2, 2011, at the Crystal City Hyatt Regency Hotel in Crystal City, Va.

Government and industry are turning to IT security automation because it leverages computer standards and specifications to simplify key security tasks, including managing vulnerabilities, measuring security and ensuring compliance to rules and regulations. Automation frees resources to focus on other areas of the IT infrastructure.