Archive for March, 2011

NIST’s Ron Ross is Named to InformationWeek Government’s Top 50 Government CIOs

From: NIST

Ron Ross, a National Institute of Standards and Technology (NIST) Fellow, has been named to InformationWeek Government’s CIO 50, which identifies 2010’s top information technology decision-makers in government. Ross is project lead of the Federal Information Security Management Act (FISMA) Implementation Project and plays a key role in setting cybersecurity requirements for federal agencies and providing guidance on meeting those requirements. Ross was chosen for “establishing guidelines that emphasize risk management and ‘continuous monitoring’ over basic compliance.” Ross was also recognized for his leadership on a joint task force to develop a unified security framework for defense, civilian and intelligence agencies.

Rise in federal cyberattacks partly due to better monitoring

From: SC Magazine

The number of cyber incidents affecting U.S. federal agencies shot up 39 percent in 2010, according to a new report from the Office of Management and Budget (OMB), but experts said the increase is partly a reflection of improved discovery capabilities within government.

According to the OMB report, the U.S. Computer Emergency Response Team (US-CERT), a division of the Department of Homeland Security tasked with coordinating the cyber defense of federal agencies, received a total of 107,439 “cyber incident” reports in 2010 from the federal government, state and local governments, commercial enterprises, U.S. citizens and foreign CERT teams. Such reports detail attempts to gain unauthorized access to systems or data, denial of service attacks, or changes to system hardware, firmware or software without the owner’s consent.

DHS Outlines Cybersecurity Strategy

Automation, interoperability, and authentication are the building blocks for a secure network defense, says the Department of Homeland Security.

By Elizabeth Montalbano,  InformationWeek

March 24, 2011

The Department of Homeland Security (DHS) will take a three-pronged approach to centralizing security across the federal government, using automation, interoperability, and authentication to secure networks against attack, officials said in a white paper released this week.

Calling them the three “building blocks for a healthy cyber ecosystem,” the paper — the result of discussions 13 agencies had at a federal cybersecurity workshop last year — outlines a plan for creating a more centralized cyber network across federal agencies in which devices “collaborate in near-real time in their own defense,” according to the paper.

Analysis: Face of Federal IT Security Leadership — Why DHS, Not White House, Took Lead on RSA Breach Response

Eric Chabrow, Executive Editor,

Pondering government cybersecurity leadership, first thoughts might go to the White House and the office of Cybersecurity Coordinator Howard Schmidt. But the voice of IT security in the Obama administration often seems to be the Department of Homeland Security, not the White House. And, the government’s face on cybersecurity matters could be that of Philip Reitinger, deputy undersecretary for the National Protection and Programs Directorate, DHS’s highest ranking cybersecurity executive.

Center for Regulatory Effectiveness Advises Continuous Monitoring for NIST

From: DNSZone (

By Neelam Malkani

Center for Regulatory Effectiveness, a regulatory watchdog founded and managed by former regulatory officials of the White House Office of Management and Budget, issued a draft of recommendations for NIST—The National Institute for Standards and Technology. The CRE emphasized the Adoption of Real Time Continuous Monitoring for Federal Cyber Security Operations.

NIST, A little known agency in the Department of Commerce, is working on an issue of critical importance developing standards to protect the federal information technology infrastructure from cyber-attacks as required by FISMA –Federal Information Security Management Act.

In accordance with FISMA, NIST is responsible for developing standards, guidelines and associated methods and techniques for providing adequate information security for all agency operations and assets, excluding national security systems.

House bill would expand DHS authority over private networks


Rep. Jim Langevin (D-RI) has introduced legislation that would expand the Department of Homeland Security’s authority over private networks determined to be part of US critical infrastructure.

The bill, the Executive Cyberspace Coordination Act, would give the Department of Homeland Security (DHS) the authority to establish “risk-enforced security practices and standards for critical infrastructure”, according to a summary of the legislation issued by Langevin’s office.

DHS would have the authority to create, verify, and enforce measures to protect information systems that control critical infrastructure. And the department would have the power to determine what critical infrastructure would be covered by the legislation.

Senator: Cybersecurity Review Taking Too Long

Napolitano Says Interagency Appraisal Nearing a Conclusion

March 10, 2011 – Eric Chabrow, Executive Editor,

During the first two years of the Obama administration, the White House didn’t show much enthusiasm for legislation to codify changes in the way the federal government tackles IT security. Without administration support, Congress failed to enact any significant cybersecurity legislation during the 111th Congress. Is that changing?

Sen. Sheldon Whitehouse hasn’t seen any evidence of that yet. In questioning Homeland Security Secretary Janet Napolitano during a Senate Judiciary Committee hearing on Wednesday, the Rhode Island Democrat suggested the Obama administration has been prolonging an interagency review of cybersecurity policy that could provide guidance on legislation Congress would consider.

Are IT Vendors Getting A “Free Pass” On Security?

From: Network World

By joltsik Created Mar 8 2011 – 11:17am

I gave a presentation on cyber supply chain security at a Mitre Software Assurance conference last week. One of the things I highlighted was that many organizations are not doing an adequate level of security due diligence on their IT vendors. This fact is clearly illustrated in a few ESG Research data points from the recent report, “Assessing Cyber Supply Chain Security Vulnerabilities Within the US Critical Infrastructure:” (note: this report is available for free download at [1])

Agencies should prepare for vigorous cybersecurity oversight, warns federal CIO


Federal Chief Information Officer (CIO) Vivek Kundra warned federal agencies to prepare for vigorous oversight of their cybersecurity systems using cyberstat sessions.

“The cyberstats are obviously classified because we’re dealing with very, very sensitive information,” said Kundra, during a Feb. 25 panel discussion with other federal CIOs reported by Federal News Radio. “The first one we did was with the Department of Education. We had great outcomes. The cyberstats are actually leading to very, very concrete actions and outcomes.”