March 26, 2019
Common Compliance Conundrums premium
Cybersecurity assessment initiatives and frameworks abound in the US government, the most important being the Federal Information Systems Management Act (FISMA), passed in 2002.  The law’s broad scope included a mandate to the US National Institute of Standards and Technology (NIST), charging it to create methods and standards to assess and optimize the cybersecurity posture […]
February 28, 2019
Compliance: It’s Still (an even bigger) Thing premium
You have heard it enough to make you aim a fire extinguisher at your firewall:  “compliance does not mean security”. Compliance work can consume up to 70% of security budgets in Federal government agencies, and it is common to spend more money identifying, documenting, and gaining approval for a remediation than the remediation itself costs. […]
September 19, 2017
[Survey] Regulations, Careless Insiders, and IT Modernization Complicate Federal Cybersecurity premium
Federal IT pros are facing “Herculean tasks” when it comes to security challenges, a new survey conducted by DLT partner, SolarWinds, reveals. Featuring insights from 200 civilian and Department of Defense (DoD) IT decision-makers, the survey explores the security challenges faced by public sector IT professionals, quantifies the sources and types of IT security threats, […]
September 8, 2017
An A-B-C Approach to Security Compliance Challenges premium
When it comes to enhancing their cybersecurity postures, federal agencies have to wade through an entire alphabet soup of regulatory compliance guidelines. From the RMF (Risk Management Framework) to FISMA (Federal Information Security Management Act) and DISA STIGs (Defense Information Systems Agency Security Technical Implantation Guides), there are a number of requirements that agencies must […]
July 11, 2017
Time is Running out for Government Contractors to Meet Key Cybersecurity Compliance Deadline premium
Time is running out for federal contractors to comply with the Federal Controlled Unclassified Information (CUI) Program. What does the CUI Program mean to contractors? As of December 31, 2017, all federal contracts will require that businesses contracting with the federal government must comply with the Federal CUI rule (32 CFR Part 2002) which strives […]
Government Tech Writer
December 15, 2011
SCAP Frequently Asked Questions premium
Last month, we began addressing some frequently asked Security Content Automation Protocol (SCAP) questions. Now that we have clarified what SCAP is, what it consists of, and how it helps with compliance issues, let’s look at FAQs about how validation and independent testing factor in. What is validation? The SCAP Program is responsible for maintaining established standards and ensuring that validated products comply. Validation is achieved through proving that the testing performed by the laboratory has been carried out correctly. Who does independent testing? Test results for validation are accepted from laboratories that are accredited by the National Voluntary Laboratory Accreditation Program (NVLAP). This accreditation is earned after full review of the laboratories’ Quality Management System (QMS) and passing of the technical proficiency tests.
December 13, 2011
Cloud and Continuous Monitoring premium
Continuous monitoring involves assessing an agency’s information security posture based on changes to risk resulting from new threats or newly discovered vulnerabilities. The National Institute of Standards and Technology’s (NIST) Guide for Applying the Risk Management Framework to Federal Information Systems (Special Publication 800‐37, Revision 1) specifies continuous monitoring as one of the six steps in information security. As agencies begin looking at cloud initiatives, the challenge is implementing a continuous monitoring program that reduces risk and ensures compliance with NIST and other relevant guidance in an environment of decreased control. The solution begins with knowing where compliance ends and risk begins.
November 21, 2011
SCAP Frequently Asked Questions premium
In our last discussion, we aspired for automated provisioning and continuous monitoring of Network Security Management. The National Institute of Standards and Technology (NIST) has spearheaded Security Content Automation Protocol (SCAP) efforts for the last ten years. NIST, an agency of the U.S. Department of Commerce, was founded in 1901 as the nation's first federal physical science research laboratory. In essence, SCAP is a NIST-sponsored effort for both pieces (automated provisioning and continuous monitoring). As a refresher: SCAP, pronounced “S-Cap”, combines a number of open standards that are used to enumerate software flaws and configuration issues related to security. They measure systems to find vulnerabilities and offer methods to score those findings in order to evaluate the possible impact. It is a method for using those open standards for automated vulnerability management, measurement and policy compliance evaluation and was the next logical step in the evolution of our compliance automation tools for Federal Agencies. SCAP defines how the following standards (referred to as SCAP 'Components') are combined and allows results to be easily shared for Federal Information Security Management Act (FISMA), Office of Management and Budget (OMB), Department of Homeland Security (DHS) and others.
September 12, 2011
Government Cloud Pushback premium
A recent New York Times article spells out the issues around federal cloud computing adoption explaining “such high praise for new Internet technologies may be common in Silicon Valley, but it is rare in the federal government, where concerns about security are paramount”. Agencies are notably concerned about losing responsibility for managing and securing data as well as the possibility of cloud outages. However, there are agencies with fewer concerns about security breaches and they have been busy moving user accounts and email services to the cloud environment. For example, the Agriculture Department has already moved about 46,000 employee accounts and is in the process of adding another 120,000. NASA has also made the migration by launching their own internal Nebula cloud computing platform. This platform provides a range of services powerful enough to manage all of NASA’s large-scale scientific data sets.