Information Security and Privacy Advisory Board Meeting: Feb 1-3

From: Federal Register

SUMMARY: The Information Security and Privacy Advisory Board (ISPAB)
will meet Wednesday, February 1, 2012, from 8 a.m. until 5 p.m.,
Thursday, February 2, 2012, from 8 a.m. until 5 p.m., and Friday,
February 3, 2012 from 8 a.m. until 12 p.m. All sessions will be open to
the public.

DATES: The meeting will be held on Wednesday, February 1, 2012, from 8
a.m. until 5 p.m., Thursday, February 2, 2012, from 8 a.m. until 5 p.m.
Eastern time., and Friday, February 3, 2012 from 8 a.m. until 12 p.m.
Eastern time.

December 2011: GovCloud Moves From Policy to Law

From: Forbes

Over the past years, government cloud computing has steadily moved forward from it’s early beginnings as an interesting curiosity:

Since Sunday’s broadcast, I’ve been asked numerous times about my real answer to the question “Will ‘Cloud Computing’ Work In White House“. Although I would never assume to be in a position to advise the President-elect, I’m more than happy, however, to add my voice to the Center for Strategic and International Studies (CSIS) and the distinguished list of contributors that recently released the CSIS Commission on Cybersecurity for the 44th Presidency.

Cloud security reviews give priority to GSA vendors

From: Federal Times

Verizon Federal Inc. and General Dynamics Information Technology are among companies whose cloud computing services and products will be vetted first by federal experts under a new mandatory security assessment program.

These companies and others that already provide cloud technology to agencies under the General Services Administration’s Infrastructure-as-a-Service contract will be reviewed first, said Dave McClure, associate administrator of the General Services Administration’s Office of Citizen Services and Innovative Technologies.

The governmentwide program, called the Federal Risk and Authorization Management Program (FedRAMP), is intended to quickly ensure that commercial cloud computing technology meets federal security standards so that agencies can more readily adopt it.

NRC FISMA Evaluation Finds Continued Improvement, Remaining Problems

A FISMA compliance evaluation of the Nuclear Regulatory Commission by an independent auditor on behalf of the Office of Inspector General found that NRC has made IT security progress on some fronts but issues, particularly on management issues.

The report concluded that over the past nine years, “NRC has continued to make improvements to its information system security program and continues to make progress in implementing the recommendations resulting from previous evaluations.”

The auditor also concluded that weaknesses remain in NRC’s compliance with FISMA.  Of note, the “agency has not developed an organization-wide risk management strategy” and, as multiple previous audits have found, “the agency’s POA&M [Plan Of Action and Milestones] program still needs improvement.”

FedRAMP and Transparency

Transparency in the operation of FedRAMP was a key theme at GSA’s December 16th Industry Event.  GSA and NIST officials emphasized that FedRAMP program would operate transparently and that applicable standards and requirements will be public.  The officials also emphasized that the program’s “do once, use many times” framework for security assessment, authorization and continuous monitoring was designed to avoid redundant security assessments, thus saving “significant cost, time and resources.” 

The Center for Regulatory Effectiveness, operating in its capacity as a Regulatory Watchdog, will be scrutinizing and reporting on the rollout and implementation of FedRAMP by all participants in the process.  CRE may take additional actions, if warranted, to ensure that FedRAMP achieves its economic and security objectives.