SP 800-37, Rev 2: Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy (Draft)

From: NIST

Date Published: September 2017
Comments Due: October 3, 2017
Email Comments to: sec-cert@nist.gov

Planning Note (9/28/2017): After this discussion draft, NIST anticipates publishing an initial public draft in November 2017, a final draft in January 2018, and the final publication in March 2018.


NIST announces the release of a discussion draft of Special Publication (SP) 800-37, Revision 2, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. This update responds to the call by the Defense Science Board, the President’s Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, and the Office of Management and Budget Memorandum M-17-25 (implementation guidance for the Cybersecurity Executive Order) to develop the next-generation Risk Management Framework (RMF) for systems and organizations.

Former SEC chief says regulator not equipped to take on bitcoin

From: Reuters

John McCrank

NEW YORK (Reuters) – Arthur Levitt, a former chairman of the U.S. Securities and Exchange Commission, said on Thursday he believed the regulator was ill equipped to deal with bitcoin, the digital currency that has seen a meteoric price rise, prompting concerns of a bubble.


“They have too many other issues that they are dealing with now that they don’t want to take on something as complex from a regulatory point of view as bitcoin is,” said the SEC’s longest-serving chairman, who held the post from 1993 to 2001.

Read Complete Article


Sweeping Cybersecurity Regulations Unlikely in Congress: Rep. Himes

From: Think Advisor

By Emily Zulz

Both Himes and an FBI agent called for international cybesecurity norms during a conference in New York

There’s likely to be a “pause” in Congress with respect to any statutory change around cybersecurity regulations, according to Rep. Jim Himes, D-Conn.

Himes, the ranking member of the NSA and Cybersecurity Subcommittee of the House Permanent Select Committee on Intelligence, gave the keynote speech during a recent cybersecurity summit hosted by NCS Regulatory Compliance in New York.

Read Complete Article


Federal Information Security: Weaknesses Continue to Indicate Need for Effective Implementation of Policies and Practices

From: US GAO

Additional Materials:

What GAO Found

During fiscal year 2016, federal agencies continued to experience weaknesses in protecting their information and information systems due to ineffective implementation of information security policies and practices. Most of the 24 Chief Financial Officers Act (CFO) agencies had weaknesses in five control areas—access controls, configuration management controls, segregation of duties, contingency planning, and agencywide security management (see figure). GAO and inspectors general (IGs) evaluations of agency information security programs, including policies and practices, determined that most agencies did not have effective information security program functions in fiscal year 2016. GAO and IGs have made hundreds of recommendations to address these security control deficiencies, but many have not yet been fully implemented.

NERC proposal targets cybersecurity risks in electric system supply chain

From: UtilityDIVE

Dive Brief:
  • The North American Electric Reliability Corporation has proposed new reliability standards aimed at shoring up the vendor supply chain that delivers software and critical updates to manage the country’s bulk electric supply (BES) system.
  • Specifically, the new standards require entities to develop and implement plans to address supply chain cybersecurity risks during the planning and procurement of bulk electric grid security systems.
  • The standards, filed with the Federal Energy Regulatory Commission, will address concerns that supply chains for information and communications technology and industrial control systems present risks to grid security, providing opportunities for cyberattacks.