Author name: Bruce

NIST SP 800-34, Contingency Planning Guide for Federal Information Systems Rev 1 NIST Special Publication 800-34 breaks down the contingency planning process in seven-steps.   The process helps organizations develop and maintain a contingency planning program for their assets. These seven steps are designed to be integrated into each stage of the system development life cycle to leverage the overall risk of an information system.   Develop the contingency planning policy statement. A formal policy provides the authority and guidance necessary to develop an effective contingency plan. Conduct the business impact analysis (BIA). The BIA helps identify and prioritize information systems and components critical to supporting the organization’s mission/business processes. A template for developing the BIA is provided to assist the user. Identify preventive controls. Measures taken to reduce the effects of system disruptions can increase system availability and reduce contingency life cycle costs. Create contingency strategies. Thorough recovery strategies ensure that the system may be recovered quickly and effectively following a disruption. Develop an information system contingency plan. The contingency plan should contain detailed guidance and procedures for restoring a damaged system unique to the system’s security impact level and recovery requirements. Ensure plan testing, training, and exercises. Testing validates recovery capabilities, whereas training prepares recovery personnel for plan activation and exercising the plan identifies planning gaps; combined, the activities improve plan effectiveness and overall organization preparedness. Ensure plan maintenance. The plan should be a living document that is updated regularly to remain current with system enhancements and organizational changes. This approach very effectively covers all the same “corporate risk” challenge you would see in major organizations.  It addresses corporate risk, by introducing a tiered approach to risk. The Fundamentals of Corporate Risk Management  (covered in Chapter 2, of NIST SP 800-39) 800-39 covers corporate risk in three layers (or tiers) of risk management: Tier 1: Organization level Tier 2: Mission/Business Process level Tier 3: Information System level Tier 1: Corporate Organization Level risk management NIST 800-39, Tier 1 addresses security from the entire organizations perspective.  Corporate risk structure starts from the top down.  The activities include the implementation of the first component of risk management, risk framing. Risk framing provides context of all the risk activities within an organization, which affects the risk activities of tier 1 & 2. The output of risk framing is Risk Management Strategy. In tier 1 the organization establishes and implements governance structure that are in compliance with laws, regulations and policies. Tier 1 activities include establishment of the Risk Executive Function, establishment of the risk management strategy and determination of the risk tolerance. Tier 2: Corporate/Mission Process Level risk management Tier 2 risk management activities include: 1) defining the mission/corporate processes to support the organization. 2) Prioritize the mission/corporate process with respect to the long term goals of the organization. 3) Define the type of information needed to successfully execute the mission/business processes, criticality/sensitivity of the information and the information flows both internal and external of the information. Having a risk-aware process is an important part of tier 2. To be risk-aware senior leaders/executives need to know: types of threat sources and threat events that could have an adverse affect the ability of the organizations potential impacts on the organizational operations and assets, individuals, the Nation if confidentiality, integrity, availability is compromised Corporations resilience to such an attack that can be achieved with a given mission/business process Tier 3: Information System risk management From the information system perspective, tier 3 addresses the following tasks of the DIARMF/risk management framework steps: Categorization of the information system Allocating the organizational security control Selection, implementation, assessment, authorization, and ongoing Chapter 3 on NIST 800-39 focuses on the step to have a comprehensive risk management program. The tasks discussed include: Risk Framing Risk Assessing Risk Response Risk Monitoring Risk Framing Risk framing are the assumptions, constraints, risk tolerance and priorities that shape an organization’s managing risk. Risk framing is created based on organizational governance structure, how much money is available, regulations imposed, environment, culture and trust relationships. Risk Assessment Risk assessment is threat & vulnerability identification and risk determination. Organizational risk framing is a prerequisite to risk assessments, because methods of risk assessment must be established by the contexts of the organizations risk. Risk Response Risk response identifies, evaluates, decides on, and implements appropriate courses of action to accept, avoid, mitigate, share, or transfer risk to organizational operations and assets, individuals, other organizations, and the Nation, resulting from the operation and use of information systems. Risk identification is key to risk response. Risk types include: Risk accept- is the appropriate risk response when the identified risk is within the organizational risk tolerance. Organizations can accept risk deemed to be low, moderate, or high depending on particular situations or conditions. Risk Monitoring Risk changes with each modification of the system. It’s important to monitor the changes of the risk of a system. Changes to threats can also change risk.

Secretary of Defense Ashton B. Carter talked about rebuild the bridge between Washington and Silicon Valley.  He spoke at Stanford using keywords like “transparency” to connect with the audience. Dr. Ashton Carter has a PHD from Oxford in theoretical physics.  He is not a dumb guy.   It is a smart move to talk directly to the Americas next group of “cyber” pioneers to solicit help.  But many of these millennials are concerned with things like Snowden and the Patriot Act.  So the Pentagon might what to address those types of things to get more Stanford and MIT student on their side. The Secretary of Defense mentioned a recent declassified successful attack on the Pentagon by Russian sources.  He was putting out a call to action to help.  Ashton said, . “Renewing our partnership is the only way we can do this right.” http://news.stanford.edu/news/2015/april/ash-carter-talk-042415.html http://sanfrancisco.cbslocal.com/video?autoStart=true&topVideoCatNo=default&clipId=11422466    

National Cybersecurity Workforce Framework (Workforce Framework) Version 1 has been replaced with Version 2.0.  The change was for adherence to the OPM Guide to Data Element Standards(link is external). If you did not know the purpose of the National Cybersecurity Workforce: The National Cybersecurity Workforce Framework (Workforce Framework) Version 2.0 is the foundation for increasing the size and capability of the US cybersecurity workforce. It can help solve some of the key cybersecurity workforce challenges. The Workforce Framework is a national resource for employers, trainers, and policy makers, providing a common cybersecurity lexicon. Creating uniformity in the field is critical to its organization and development and the Workforce Framework aims to categorize the different types of cybersecurity work.–http://niccs.us-cert.gov “Oversight and Development” of NICE framework version 1 has become “Oversee & Govern” in version 2.  I noticed that version 2 also includes Risk Management type positions listed under Oversee and Govern: Risk Management – Oversees, evaluates, and supports the documentation, validation, and accreditation processes necessary to ensure new and existing information technology (IT) systems meet the organization’s information assurance (IA) and security requirements. Ensures appropriate treatment of risk, compliance, and monitoring assurance from internal and external perspectives.  

I read an article about the federal government having a hard time hiring and retaining cyber workforce professionals. Rigid hiring processes and low pay for specialized employees have kept the U.S. government from developing the type of cyber workforce it needs to keep up with growing attacks, according to an independent analysis.  – Washington Post I have worked for the federal government for many years.  I would definitely agree with that assessment.  And I know why.  The government is slow as hell.  They are slow to adjust to the exponential changes of Information Technology and have trouble competing with the salaries of the commercial world. The Partnership for Public Service released a report on Tuesday saying the federal government has positioned itself poorly for recruiting cybersecurity personnel at a time when the nation as a whole is already facing a shortage. – Washington Post Cybersecurity is more important than ever.  As more of our money, our interactions, and lives go online, security becomes more important. Aside from non-competitive pay and strict hiring practices, other causes of the deficiency include weak talent pipelines and the lack of a government-wide strategy for hiring and retaining talent, according to the group. If the federal governments wants better talent, they have to get ALL IN.  I think some of their business units get it right.  Defense Advanced Research Projects Agency (DARPA) for example is always trying to go beyond the leading bleeding edge of tech.  DARPA is credited with funding the initial seeds that led to the creation of the Internet.  They have huge visions that seem crazy until they actually do it and change the world.  The federal government has the means to go “DARPA” in every branch of the military.  They do not have the political will.  And that is why they are in the situation they are in.

I have been hunting for information on the abominable “DoDD 8140”.  Some say that it does not exist, but you can see its footprints all over the InterWebs: The DoDD 8140 (DoDD 8570.1 replacement) is in staffing (administrative and format correction by the DoD then legal review then for signature by the SecDef or DepSecDef. Tentative completion and release date 1st Qtr. FY 15 . The workforce manuals will stem from the signed DoDD 8140 - Army CIO/G6, Cyber Security Directorate Training and Certification Newsletter 1 September 2014 DoD 8140 workforce requirements initiative - Operationally Focused CYBER Training Framework DoDD 8140 - What We Know – Expands 8570 Concept from Information Assurance Personnel Only To Entire “Cyberspace Workforce” – Umbrella Program – Intent is For The 8570 Matrix to Remain The Same – Will Use NICE (National Initiative for Cybersecurity Education) Framework and “Other Plans and Policies” for job skills/functions/tasks – isc2chapter-middlega.org Initial draft 8140 Directive in formal coord • Policies under the DoDD 8140 to cover the entire Cyberspace Workforce • IT/Cybersecurity • Cyberspace Operations (Engagement) • Intelligence Workforce (Cyberspace) • Leverage existing plans and policies: • NICE; DoD CWF; CW Strategy • JCT&CS • Total force manpower process (DoDI 1100.22) • Apply lessons learned from workforce studies and 8570 implementation - isc2chapter-middlega.org Lack of Standard DoD CS/ITWF-Related Procedures. DON CIO personnel informed us that the Navy did not comprehensively define the overall CS/ITWF or develop a CS/ITWF personnel database because they were waiting for DoD to issue its guidance. We were told that DoD was drafting Directive 8140.aa, “Cyberspace Workforce Management,” reissuing and renumbering DoD Directive 8570.01, “Information Assurance Training, Certification, and Workforce Management,” updating and expanding policies, and assigning responsibilities for managing the DoD workforce performing cyberspace functions. - Cyberspace/Information Technology Skill Sets for Active Duty Military Personnel at Selected Navy Commands   In reference to changes to the IP Officer course, the expected date of implementation is May 2016. For the more immediate mitigation efforts, N2/N6 responses are predicated on DON CIO’s update to Secretary of the Navy (SECNAV) Instruction 5239 along with the release of the DoDD 8140.aa. Once these documents have been promulgated (estimated date of completion in September 2014), OPNAV N2/N6 will release a Naval Administrative Message (NAVADMIN) that will direct the fleet to these changes and ensure implementation of all directives and instructions. Estimated release date for the NAVADMIN will be May 2015. - Cyberspace/Information Technology Skill Sets for Active Duty Military Personnel at Selected Navy Commands   If you see the 8140 in the wild, shoot it, skin it and send it to me: elamb(dot)security(at)gmail

Raytheon is betting on cybersecurity as it buys Websense Inc.  They are investing 1.7 billion into this venture.  Websense has 21,000 clients.  It allows system administrators to block access to websites based on content and protocols.  With this type of technology, organizations of any size can enforce rules of behavior on users.  Websense allows the implementation of security best practices like “least functionality” and collecting audit logs.  Since the biggest threat usually come from “inside threats”, it is no wonder why companies like Websense have done so well. Raytheon has mainly been a defense contractor developing and maintaining products and services for the US Department of Defense and Intelligence services.  Websense will give them a pretty solid foothold into cybersecurity of the private sectors including banks and organizations overseas.   more info on the deal at WSJ  

The Federal Communication Commission (FCC) Communications Security, Reliability and Interoperability Council (CSRIC) developed a Cybersecurity Risk Management and Best Practice Final Report dated March 2015. The 400 page document discusses voluntary mechanisms that give the Federal Communications Commission (FCC) and the public assurance that communication providers are taking the necessary measures to manage cybersecurity risks across the 5 major parts of communications: broadcasting, satellite, cable, wireless and wireline. The document also details implementation guidance to help communication providers adapt to NIST Cybersecurity Framework.  The NIST Cybersecurity Framework was created to satisfy the President’s Executive Order 13636 – Improving Critical Infrastructure Cybersecurity. Each of the 5 major components of FCC communications ( broadcasting, satellite, cable, wireless and wireline) have been be treated as critical infrastructure and evaluated by the NIST Cybersecurity Framework. The segment and feeder subgroup findings and resulting NIST Cybersecurity Framework implementation guidance are contained in the appendices to this report. – more info here

DISA has released the Windows Server 2012 DNS STIG Version 1. The requirements of the STIG become effective immediately. The STIG is available on IASE at: http://iase.disa.mil/stigs/net_perimeter/network-other/Pages/network-other.a spx. VMS Users: The Windows 2012 Server DNS STIG requirements will need to be manually applied to an asset in VMS by adding the “Windows 2012 DNS” element (found under Computing>Application>DNS Applications) to the asset’s posture. The “Windows DNS” element from the previous version DNS STIG will still remain applied to the asset’s posture, along with the requirements related to the previous version. That previous version element should be manually removed from an asset’s posture once the assessment results from the previous version are no longer needed.

The Department of Defense used DoD 8570.01-M, Information Assurance Workforce Improvement Program as its labor  reference code.  8570 mapped required industry level IT certifications to certain job titles.  The problem with it was that many within DoD relied too heavily on IT certification.  So organizations would end up with lots of “paper tigers”, IT guys with lots of certifications but very little practical experience. In 2010, the Office of Personnel Management and others involved with the National Initiative for Cybersecurity Education (NICE) recognized issues in the federal government and hiring qualified talent for the cybersecurity workforce. John Mills, OSD/NII who assisted with the National Cybersecurity Initiative said, “We’re already working on revising 8570.  We want to do something that reflects a workforce that is trained and qualified with actual capabilities and competencies and not just a rote exam.” (2010) According to Cybersecurity panelist Patty Edfors,  “There’s a dilution of certifications going on. There are many entities cropping up that have new certifications.  And it gets to be one of these: ‘Which one do I choose?’ And it all comes down to: ‘Which one will bring me the biggest salary?’ So, the alignment of the resources and qualifications of the workforce are critical….” The result of their work was the CyberSecurity Workforce Framework: http://niccs.us-cert.gov/training/tc/framework But there is no word yet on whether or not this will replace or supplement the old 8570.  

DISA Field Security Operations (FSO) has released the Samsung Android (with Knox 2.x) STIG Version 1.  The requirements of this STIG become effective immediately. All the applicable technical NIST SP 800-53 requirements were considered while developing this STIG. Requirements that are applicable and configurable are included in the STIG.  The DoD is unable to automatically control which core and preinstalled apps from Google, Samsung, or the carriers with an operating system (OS) update. Some apps included in an OS update may have undesirable features for the DoD. Approving Officials must review/vet all apps included in any OS update to determine the risk acceptance of each app. Disapproved apps must be disabled via the MDM. The STIG is available at: http://iase.disa.mil/stigs/net_perimeter/wireless/Pages/smartphone.aspx