GSA names FedRAMP third party assessment organizations
May 15th, 2012 | Cybersecurity General Services Administration Information Technology | Posted by Nicole Johnson
An initial group of nine organizations has been selected to provide independent security reviews of cloud products and services used in the federal government.
As part of the Federal Risk and Authorization program (FedRAMP), expected to launch June 6, vendors must work with an approved third party assessment organization, or 3PAO, to validate if they’ve implemented baseline security standards. For years, these security reviews have varied across government and have cost agencies millions of dollars each year.
Approved 3PAOs include (click here for contact information):
COACT, Inc.
Department of Transportation Enterprise Service Center
Dynamics Research Corporation
J.D. Biggs and Associates Inc.
Knowledge Consulting Group, Inc.
Logyx LLC
Lunarline, Inc.
SRA International, Inc.
Veris Group, LLC
A review board, comprised of officials from the National Institute of Standards and Technology and GSA, selected the first wave of 3PAOs. As part of the FedRAMP process, vendors must contract with a 3PAO to assess the security of their products and services.
“The accreditation process will eventually migrate to a board managed by private sector organizations,” according to FedRAMP concept of operations document. “After the private sector accreditation body has been established, the FedRAMP PMO (program management office) will establish a transition timeframe for all 3PAOs to be accredited by the privatized board.”
House bill would provide $749 million for DHS cybersecurity
May 8th, 2012 | 2013 Budget Congress Cybersecurity Homeland Security Information Technology | Posted by Nicole Johnson
Cybersecurity funding at the Department of Homeland Security would increase 63 percent from $459 million to $749 million under a proposed 2013 spending bill by the House Appropriations Committee.
The increase would fund new initiatives to improve federal network security and defend against foreign espionage, according to a committee press release. The House Homeland Security Appropriations Subcommittee will mark up the bill on Wednesday.
Cyber funding would be $20 million below the president’s $769 million request. Both the administration and some members of the Senate are backing legislation that would give DHS new authorities to regulate cybersecurity. The 2012 Cybersecurity Act, S 2105, would authorize the DHS to regulate security standards for certain privately owned critical networks, such as those affecting the power grid and other systems that, if attacked, would cause death, severe economic damage or national security risks.
Skeptics of DHS’ ability to regulate industry point to the department’s troubled chemical facility security program, or CFATS. Congress in 2007 directed DHS to beef up the physical security and cybersecurity of chemical facilities. But that program suffered from unstable leadership, inadequate training and poor hiring decisions.
The spending bill would provide $45 million for CFATS, $29 million below what was requested and $47 million below current spending levels. “This reduction is due to significant managerial problems, program delays and poor budget execution,” the new release said.
Tags: CFATS
House Republicans’ cyber bill promotes information sharing
March 29th, 2012 | Congress Cybersecurity | Posted by Nicole Johnson
Two Republican congresswomen introduced a cybersecurity bill this week that promotes information sharing and aligns closely with legislation sponsored by Sen. John McCain, R-Ariz.
Reps. Mary Bono Mack, R-Calif., and Marsha Blackburn, R-Tenn., introduced the 2012 Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act (SECURE IT), H.R. 4263, on Tuesday.
The bill would provide “explicit authorization for the private sector to defend its own networks and voluntarily share cyber threat information within the private sector and with the government – without the legal barriers that currently exists,” acorrding to a news release.
Other measures include:
- Stiffer penalities for cyber criminals who hack into servers and steal personal information like credit card numbers and government documents.
- Better security of federal networks through reforms to the 2002 Federal Information Security Management Act.
- Advancement of cybersecurity research.
No more than 20 vendors to get initial cloud security assessments
March 20th, 2012 | Cybersecurity General Services Administration Information Technology | Posted by Nicole Johnson
As many as 20 cloud computing vendors will be certified for federal use under a new security assessment program when it launches in June.
The General Services Administration, which manages the Federal Risk and Authorization Management Program (FedRAMP), has said that companies already providing cloud technology to agencies under GSA’s Infrastructure-as-a-Service contract will be among the first to have their technology vetted through the program.
Vendors on GSA’s upcoming Email-as-a-Service contract will also be given priority. After being vetted and meeting any additional standards to ensure security, companies are approved to offer their products and services for sale to agencies. Anywhere from six to 20 contractors will go through FedRAMP in the first six to eight months, said Dave McClure, associate administrator of GSA’s Office of Citizen Services and Innovative Technologies.
“It is not going to be a situation where we will be drowning in FedRAMP applications,” McClure said in an interview this month. “We want to roll this out very cautiously and carefully, [and] make sure it works.”
By fiscal 2014, FedRAMP will be a sustaining program and all products are expected to go through the process, he said.
FedRAMP security requirements, largely based on standards set by the National Institute of Standards and Technology, will apply to information technology systems at the low and moderate security levels.
For example, vendors must be able to prove that they use two-factor authentication. Their systems operators, must have two forms of evidence, such as a password and identification card, to verify who they are before accessing systems that provide government services.
Vendors and agencies will have a year to comply with updated security standards, which NIST expects to release in July.
NIST identified gaps in previous guidance to address new challenges, such as insider threats, supply chain risk, and mobile and cloud computing technologies, said NIST fellow Ron Ross in an interview.
NIST standards address the need for cloud vendors to detail where government data is physically stored and processed and to provide a clear contingency plan in case of a terrorist attack or cyber incident.
According to the most recent data from 2009, agencies spend $300 million annually to test the security of IT systems and approve their use in the federal government.
“One of the promises and the benefits of FedRAMP is that we think it will save about 30 to 40 percent of governmentwide costs associated with assessing, authorizing, procuring and continuously monitoring these cloud solutions,” federal Chief Information Officer Steven VanRoekel said in December when announcing FedRAMP. The government spends “hundreds of millions of dollars a year securing information technology systems, and much of that work is duplicative, inconsistent and time-consuming.”
FedRAMP will allow agencies to reduce the number of people it takes to assess and authorize the security of its systems by 50 percent and cut the assessment time by 75 percent, according to the Office of Management and Budget.
Tags: cloud computing, FedRAMP
NIST revises security and privacy standards for federal systems
February 28th, 2012 | Cybersecurity Information Technology | Posted by Nicole Johnson
The National Institute of Standards and Technology on Tuesday released proposed revisions to its requirements that govern how agencies secure their federal information systems.
Proposed changes to Special Publication 800-53, Revision 4, address new challenges that agencies face, including insider threats, supply chain risk, mobile and cloud computing technologies, and other cybersecurity issues and challenges, NIST said in a news release.
“The changes we propose in Revision 4 are directly linked to the current state of the threat space — the capabilities, intentions and targeting activities of adversaries — and analysis of attack data over time,” NIST fellow Ron Ross said in a statement.
“Many organizations are concerned about advanced persistent threats, so we added new controls that will allow organizations to use different strategies to combat those types of threats,” Ross said.
The proposed revisions add new security controls, or descriptions of what agencies must do to properly manage an information system, clarify security control requirements and enhance others.
Once approved, the changes will be used by the Federal Risk and Authorization Management Program (FedRAMP) to asses the security of cloud computing service providers. The administration plans to begin certifying cloud computing solutions under the mandatory security assessment program in June.
The public comment period for NIST’s revisions is from Feb. 28 to April 6, and the final document is expected to be released in July, after FedRAMP reviews begin.
It isn’t clear how long cloud vendors will have to adjust to the changes. And those details were not included in a new charter that defines the role of FedRAMP’s Joint Authorization Board, composed of chief information officers at the General Services Administration and Homeland Security and Defense departments.
The board will prioritize which cloud vendors will be first to undergo FedRAMP reviews, define security authorization requirements for vendors and provide the criteria for approving independent assessors to review the security of cloud solutions. The board is required to meet formally at least twice a year and appoint technical representatives that meet on a monthly basis.
Tags: FedRAMP, NIST, Special Publication 800-53
New guidance details best practices for cloud contracting
February 27th, 2012 | Cybersecurity Information Technology | Posted by Nicole Johnson
Guidance released by the Chief Information Officers Council last week calls on agencies to improve collaboration among CIOs, privacy and contracting officers and other stakeholders when procuring cloud services.
The document, called “Creating Effective Cloud Computing Contracts for the Federal Government” outlines 10 areas where agencies can improve their internal collaborations before selecting a cloud provider.
Agencies should consider input from the CIO, general counsel, privacy and procurement offices when choosing the appropriate cloud service and how it will be provided.
“Federal agencies must ensure cloud environments are compliant with all existing laws and regulations when they move IT services to the cloud,” according to the document.
Other areas for improved collaboration:
- Defining security requirements for cloud vendors and ensuring a robust continuous monitoring program is in place.
- Ensuring that all data stored in the cloud is available under the Freedom of Information Act.
- Creating service level agreements that define performance requirements for vendors and how they will be measured.
Agencies are encouraged to include provisions in their cloud contracts that define penalties if a vendor does not meet a service level agreement. To incentivize vendors to meet these agreements, agencies should use a monetary consequence or another penalty if vendors’ services fall short of agencies’ expectations.
The guide, avialable at cio.gov, was a joint effort among the CIO and Chief Acquisition Officers councils and the Federal Cloud Compliance Committee.
Tags: CAO Council, CIO Council, cloud computing
Cyber bill calls for regulation of the nation’s critical systems
February 14th, 2012 | Cybersecurity Homeland Security | Posted by Nicole Johnson
Cybersecurity legislation introduced by Sen. Joe Lieberman, I-Conn., on Tuesday empowers the Department of Homeland Security to regulate cyber standards for the nation’s critical infrartucture systems.
The Cybersecurity Act of 2012 calls on the DHS secretary to work with the private sector in identifying systems that pose the greatest risk and could cause death, severe economic damage or national security risks if attacked. DHS and the private sector would be responsible for creating performance standards for owners and operators of power grids and other systems if none exist.
Industry would have to decide how best to meet the performance standards in addition to doing annual self-reporting to DHS. Those that submit annual reports and meet performance standards would receive liability protection from punitive damages in the event of a cyber attack.
Sens. Susan Collins, R-Maine, John Rockefeller, D-W.Va., and Dianne Feinstein, D-Calif., cosponsored the bill.
State’s chief security official to head DHS cyber division
January 13th, 2012 | Cybersecurity Homeland Security Information Technology State | Posted by Nicole Johnson
The State Department’s top security chief is leaving his post to oversee a newly created cybersecurity division at the Department of Homeland Security.
John Streufert will replace Nicole Dean as director of DHS’ National Cyber Security Division on Jan. 17, where he will be tasked to build and maintain an “effective cyberspace response system” and implement a program for protecting critical infrastructure, DHS’ Roberta Stempfley said in an email Friday to employees within the Office of Cybersecurity and Communications. Streufert will also work to strengthen DHS’ partnerships with the private sector and international organizations.
“Although Nicole is leaving rather large shoes to fill, there is no doubt that John’s range of experience will also bring vast knowledge and innovation to the NCSD organization,” Stempfley said in the email.
The move comes as the administration works to strengthen DHS’ role in cybersecurity. Under the White House cybersecurity proposal, DHS would have the lead in protecting dot-gov domains and be a key liaison with the private sector. The proposal would also require critical infrastructure firms to adhere to cybersecurity guidelines created by industry and approved by DHS.
DHS will also play a major role in the administration’s Federal Risk and Authorization Management Program (FedRAMP) by coordinating automated continuous monitoring of industry cloud solutions.
Streufert’s success in improving cybersecurity at State makes him an ideal candidate for the director position. He has served as the department’s chief information security officer and deputy chief information officer for information assurance since 2006. He reduced security vulnerabilities on the department’s personal computers and servers by about 90 percent between 2008 and 2009 by using continuous monitoring software.
FCC launches cyber planning tool for small businesses
November 17th, 2011 | Cybersecurity Information Technology | Posted by Nicole Johnson
A new online tool developed by the Federal Communications Commission allows small businesses to create a cybersecurity plan for free.
The FCC Small Biz Cyber Planner is a three-step process and takes minutes to create. After providing your company’s name and location, you can compile guidance on several topics — including mobile devices, network security and email — to include in your custom plan.
Once you select the topics to include, the site generates a custom report with a cybersecurity glossary and links to reference publications. For example, under guidance about network security, the plan advises companies to require security and auditing from their cloud providers and review and understand service level agreements for system restoration.
“The tool is designed for businesses that lack the resources to hire dedicated staff to protect their business, information and customers from cyber threats,” according to a blog post on FCC.gov.
The agency collaborated with the Department of Homeland Security, the National Cybersecurity Alliance and other public and private sector organizations to develop the tool.
Tags: FCC, small business
Senate to debate cyber legislation in 2012
November 17th, 2011 | Congress Cybersecurity | Posted by Nicole Johnson
Senate Majority Leader harry Reid (Photo Credit: Sen. Reid's office)
Senate Majority Leader Harry Reid, D-Nev., expects the Senate to vote on cybersecurity legislation during its first work period of 2012.
In a Nov. 16 letter to Senate Minority Leader Mitch McConnell, R-Ky., Reid said that bipartisan committees have been negotiating potential language in a cyber bill for the past six months, but those efforts haven’t produced results.
Reid said if the working groups cannot agree on bipartisan legislation by early next year, he will welcome legislation produced “elsewhere” to be debated on the Senate floor. For now, the 2012 legislative session is scheduled to begin Jan. 23.
Could that bill include recommendations from the House Republican Cybersecurity Task Force? In his letter, Reid highlighted efforts by the task force as being consistent with efforts in the Senate.
Tags: Harry Reid