Archive for March, 2011
Ron Ross, a National Institute of Standards and Technology (NIST) Fellow, has been named to InformationWeek Government’s CIO 50, which identifies 2010’s top information technology decision-makers in government. Ross is project lead of the Federal Information Security Management Act (FISMA) Implementation Project and plays a key role in setting cybersecurity requirements for federal agencies and providing guidance on meeting those requirements. Ross was chosen for “establishing guidelines that emphasize risk management and ‘continuous monitoring’ over basic compliance.” Ross was also recognized for his leadership on a joint task force to develop a unified security framework for defense, civilian and intelligence agencies.
From: SC Magazine
The number of cyber incidents affecting U.S. federal agencies shot up 39 percent in 2010, according to a new report from the Office of Management and Budget (OMB), but experts said the increase is partly a reflection of improved discovery capabilities within government.
According to the OMB report, the U.S. Computer Emergency Response Team (US-CERT), a division of the Department of Homeland Security tasked with coordinating the cyber defense of federal agencies, received a total of 107,439 “cyber incident” reports in 2010 from the federal government, state and local governments, commercial enterprises, U.S. citizens and foreign CERT teams. Such reports detail attempts to gain unauthorized access to systems or data, denial of service attacks, or changes to system hardware, firmware or software without the owner’s consent.
Automation, interoperability, and authentication are the building blocks for a secure network defense, says the Department of Homeland Security.
By Elizabeth Montalbano, InformationWeek
March 24, 2011
The Department of Homeland Security (DHS) will take a three-pronged approach to centralizing security across the federal government, using automation, interoperability, and authentication to secure networks against attack, officials said in a white paper released this week.
Calling them the three “building blocks for a healthy cyber ecosystem,” the paper — the result of discussions 13 agencies had at a federal cybersecurity workshop last year — outlines a plan for creating a more centralized cyber network across federal agencies in which devices “collaborate in near-real time in their own defense,” according to the paper.
Analysis: Face of Federal IT Security Leadership — Why DHS, Not White House, Took Lead on RSA Breach Response
Eric Chabrow, Executive Editor, GovInfoSecurity.com
Pondering government cybersecurity leadership, first thoughts might go to the White House and the office of Cybersecurity Coordinator Howard Schmidt. But the voice of IT security in the Obama administration often seems to be the Department of Homeland Security, not the White House. And, the government’s face on cybersecurity matters could be that of Philip Reitinger, deputy undersecretary for the National Protection and Programs Directorate, DHS’s highest ranking cybersecurity executive.
From: DNSZone (http://dns.tmcnet.com)
By Neelam Malkani
Center for Regulatory Effectiveness, a regulatory watchdog founded and managed by former regulatory officials of the White House Office of Management and Budget, issued a draft of recommendations for NIST—The National Institute for Standards and Technology. The CRE emphasized the Adoption of Real Time Continuous Monitoring for Federal Cyber Security Operations.
In accordance with FISMA, NIST is responsible for developing standards, guidelines and associated methods and techniques for providing adequate information security for all agency operations and assets, excluding national security systems.
Rep. Jim Langevin (D-RI) has introduced legislation that would expand the Department of Homeland Security’s authority over private networks determined to be part of US critical infrastructure.
The bill, the Executive Cyberspace Coordination Act, would give the Department of Homeland Security (DHS) the authority to establish “risk-enforced security practices and standards for critical infrastructure”, according to a summary of the legislation issued by Langevin’s office.
DHS would have the authority to create, verify, and enforce measures to protect information systems that control critical infrastructure. And the department would have the power to determine what critical infrastructure would be covered by the legislation.
March 10, 2011 – Eric Chabrow, Executive Editor, GovInfoSecurity.com
During the first two years of the Obama administration, the White House didn’t show much enthusiasm for legislation to codify changes in the way the federal government tackles IT security. Without administration support, Congress failed to enact any significant cybersecurity legislation during the 111th Congress. Is that changing?
Sen. Sheldon Whitehouse hasn’t seen any evidence of that yet. In questioning Homeland Security Secretary Janet Napolitano during a Senate Judiciary Committee hearing on Wednesday, the Rhode Island Democrat suggested the Obama administration has been prolonging an interagency review of cybersecurity policy that could provide guidance on legislation Congress would consider.
From: Network World
By joltsik Created Mar 8 2011 – 11:17am
I gave a presentation on cyber supply chain security at a Mitre Software Assurance conference last week. One of the things I highlighted was that many organizations are not doing an adequate level of security due diligence on their IT vendors. This fact is clearly illustrated in a few ESG Research data points from the recent report, “Assessing Cyber Supply Chain Security Vulnerabilities Within the US Critical Infrastructure:” (note: this report is available for free download at www.esg-global.com )
Federal Chief Information Officer (CIO) Vivek Kundra warned federal agencies to prepare for vigorous oversight of their cybersecurity systems using cyberstat sessions.
“The cyberstats are obviously classified because we’re dealing with very, very sensitive information,” said Kundra, during a Feb. 25 panel discussion with other federal CIOs reported by Federal News Radio. “The first one we did was with the Department of Education. We had great outcomes. The cyberstats are actually leading to very, very concrete actions and outcomes.”