Archive for August, 2011

Spotlight: Wave of NIST cybersecurity guidance on the way

From: FierceGovernmentIT

The National Institute of Standards and Technology has a slew of guidance coming down the pike for agencies. The first, a new risk assessment guideline should be ready in September 2011, said Ron Ross, NIST’s project leader of the FISMA implementation project. 

Information technology workers should also be on the lookout for a continuous monitoring guideline and an update to NIST SP 800-53 (.pdf), the security control catalog updated every 4 years, he said while speaking at a FedScoop event in Washington, D.C. Aug. 24. NIST also expects major cybersecurity guidance in 2012 on systems and security engineering, said Ross.

SANS 20 Critical Security Controls


A couple days ago, The SANS Institute announced the release of a major update (Version 3.0) to the 20 Critical Controls, a prioritized baseline of information security measures designed to provide continuous monitoring to better protect government and commercial computers and networks from cyber attacks.  The information security threat landscape is always changing, especially this year with the well publicized breaches.  The particular controls have been tested and provide an effective solution to defending against cyber-attacks.  The focus is critical technical areas than can help an organization prioritize efforts to protect against the most common and dangerous attacks.  Automating security controls is another key area, to help gauge and improve the security posture of an organization.

OMB pushes department CIOs toward continuous monitoring and ‘CyberStat’ reviews

From: Government Security News

By: Jacob Goodwin

The Director of the Office of Management and Budget, Jacob Lew, issued a memorandum to all federal department and agency heads on August 8 that identifies four main areas of responsibility for chief information officers, including primary responsibility for overseeing their department’s information security program aimed at safeguarding both information and IT systems.

“Part of this program will include well-designed, well-managed continuous monitoring and standardized risk assessment processes, to be supported by ‘CyberStat’ sessions run by the Department of Homeland Security to examine implementation,” wrote Lew. “Taken together, continuous monitoring and CyberStat will provide essential, near real-time security status information to organizational officials and allow for the development of immediate remediation plans to address any vulnerabilities.”

GAO, State Clash Over Infosec Documentation

From: GovInfoSecurity

Eric Chabrow, Executive Editor

Continuous monitoring for vulnerabilities on information systems is supposed to reduce paperwork for federal agencies, such as the check-box compliance forms that show they comply with the rules born from the Federal Information Security Management Act.

But does documenting processes involved with continuous monitoring represent unnecessary paperwork? Congressional auditors at the Government Accountability Office don’t think so, but State Department officials implementing a custom application called iPost think documentation, in some cases, is unnecessary and outdated.

NIST Tests Ways To Secure iPhones, iPads

From: Information Week

The agency bought 60 Apple tablets and smartphones to figure out secure methods for federal government employees to use the popular devices.

By Elizabeth Montalbano

The organization that creates standards for the federal government’s use of technology is testing iPhones and iPads to devise the best ways of securing them for government use.

The National Institute of Standards and Technology’s (NIST’s) Office of Information Systems Management (OISM) is performing a pilot across the agency to “determine how best to proceed to provide a managed, secure configuration for NIST users of these devices,” according to a contract award notification posted on