Author name: Bruce

Resources: FY 2012 Report to Congress on the Implementation of FISMA Act of 2002 2012 FISMA Executive Summary  “National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs” FISMA requirements for cybersecurity (2012): • continuous monitoring management • configuration management • identity and access management • incident response and reporting • risk management • security training • plan of action and milestones • remote access management • contingency planning • contractor systems • security capital planning FISMA 2012 Focuses on three priorities for watching what data enters and exits the network: Trusted Internet Connections Continuous Monitoring HSPD-12 The new FISMA is based on meeting the Presidents, May 2012 directive entitled “Building a 21st Century Digital Government”. The Digital Government Strategy focuses on giving better digital services to the Americans and requires the integrating better security and privacy measures into the design and adoption of all new technologies introduced to the Federal environment.  Although privacy is a bit of a contradiction with the Patriot Act but perhaps there is a plan to get rid of it. “Building a 21st Century Digital Government” seeks to establish interagency Joint Continuous Monitoring Working Group to support Federal organizations in building “a government-wide continuous monitoring capability for Federal information systems” (FISMA FY12). The National Cybersecurity and Communications Integration Center  was setup at the Department of Homeland Security for incident response. The feds implemented a strategy for the Einstein 3 intrusion prevention system to enable significant capabilities to be deployed during FY 2013, four years earlier than planned (FISMA FY12). National Insider Threat Policy “National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs” was created as a response to wikileaks and insiders leaking classified data. The feds developed a policy for dealing with massive leaks of sensitive data. The policy addresses information security and information sharing and seems them as mutually reinforcing activities, through three guiding principles: Information is a national asset; Information sharing and safeguarding requires shared risk management; and Information informs decision making. The policy pushes agencies to develop and promote effective insider threat programs to deter, detect, and mitigate actions by employees who may represent a threat to national security.

Adam Sedgewick, Senior Information Technology Policy Advisor at the National Institute of Standards and Technology (NIST) spoke at RSA Conference 2014. Adam Sedgewick touched on the key elements of the cyber security framework.  Cyber security is designed for critical infrastructure operators to safeguard their information assets. Adam addresses critics who say the framework is over simplified to be effective. Cyber security framework will evolve from version 1 that was issued in mid-February (see NIST Releases Cybersecurity Framework). More on Critical Infrastructure Framework Cyber security.  This document is a guide for implementing Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” Adam represents NIST on the Department of Commerce Internet Policy Task Force and advices NIST leadership on cybersecurity issues: “Recognizing the role that the protection of privacy and civil liberties plays in creating greater public trust, the Executive Order requires that the Framework include a methodology to protect individual privacy and civil liberties when critical infrastructure organizations conduct cybersecurity activities. Many organizations already have processes for addressing privacy and civil liberties. The methodology is designed to complement such processes and provide guidance to facilitate privacy risk management consistent with an organization’s approach to cybersecurity risk management. Integrating privacy and cybersecurity can benefit organizations by increasing customer confidence, enabling more standardized sharing of information, and simplifying operations across legal regimes.” — Cyberframework

SCAP Compliance Checker SCC Tool 3.1.2   SPAWAR Systems Center Atlantic has released an updated version to the SCAP Compliance Checker SCC Tool.  The updated features include recent DISA STIG content for both Windows and Red Hat systems and NIST USGCB patch content.  In addition, several defects have been resolved in the 3.1.2 release. SCAP Content + AIX + Dot Net Framework + Google Chrome + HP-UX + Internet Explorer Benchmarks + Red Hat + Solaris + Windows 8 Benchmarks + Windows 2008 R2 Benchmarks + Windows 2008 Benchmarks + Windows 2003 Benchmarks + Windows 7 Benchmarks + XP Benchmarks + Vista Benchmarks + Audit + SCAP Tools The SCAP Tools are located at http://iase.disa.mil/stigs/scap/index.html#scc  Security Content Automation Protocol (SCAP) Windows Benchmarks DISA Field Security Operations (FSO) is releasing updated automated compliance benchmarks for Windows Operating Systems outside of the normal quarterly release schedule.  The latest benchmarks will correct a problem with importing the content into the HBSS Policy Auditor tool. The Benchmarks are located at http://iase.disa.mil/stigs/scap/index.html   More on the feature of SPAWAR SCAP Compliance Checker SCC Tool: Primary Features: No per seat license costs for Federal government/contractor computers Performs compliance scanning using SCAP content Performs vulnerability scanning using OVAL content Performs manual interview checks using OCIL content Creates XCCDF XML results Creates OVAL XML results Creates ARF XML results Creates Cyberscope Autofeed XML results Creates HTML and text based single computer reports Creates HTML and spreadsheet based multi-computer summary reports Allows for installation of custom SCAP and OVAL content Allows for automatic downloading of updated patch content from Internet/Intranet Allows for organizational deviations Allows for organizationally defined compliance thresholds Has graphical and command line interfaces Native executables per platform (no runtime requirements such as Java

Risk Management For DoD IT DoDI 8510.01 Risk Management Framework (RMF) for DoD Information Technology (IT), March 14, has been released. The Risk Management Framework For DoD IT, establishes DoDD 8500, Cybersecurity policy, and assigning responsibilities for executing and maintaining the RMF.  The Risk Management Framework For DoD IT replaces the DoD Information Assurance Certification and Accreditation Process (DIACAP) and manages the life-cycle cybersecurity risk to DoD IT. The RMF renames the DIACAP Technical Advisory Group to the RMF TAG. A couple of big changes are that it moves away from the term “Information Assurance” as much as possible.  It also address some of the biggest issues of DIACAP right away: “[RMF] Provides procedural guidance for the reciprocal acceptance of authorization decisions and artifacts within DoD, and between DoD and other federal agencies, for the authorization and connection of information systems (ISs).” One of the biggest issues with DIACAP is that different organization would have a different DIACAP process and so if, for example, Unit Sample Army wanted to connect to Flight A Airforce system, someone (or both) would have to redo their process. How much does Risk Management Framework For DoD IT take from NIST? See for yourself: RMF GOVERNANCE. The DoD RMF governance structure implements the three-tiered approach to cybersecurity risk management described in NIST SP 800-39 (Reference (i)), synchronizes and integrates RMF activities across all phases of the IT life cycle, and spans logical and organizational entities

DoDI 8500 8510 DIARMF signed? It is 11 Mar 2014 and there is nothing at all officially distributed.  Check here: http://www.dtic.mil/whs/directives/index.html There is nothing posted on the DoD CIO site: http://dodcio.defense.gov/ Nothing on the DON CIO site: http://www.doncio.navy.mil/ Since 2011 I have been hearing about DIARMF – Rumor has it, Ms Teresa Takai signed it.  That means the next step is distribution. Update: DoDI 8500 and 8510 DIARMF have been signed and are in the process of being distributed  Implements References (c) through (f) by establishing the RMF for DoD IT (referred to in this instruction as “the RMF”), establishing associated cybersecurity policy, and assigning responsibilities for executing and maintaining the RMF. The RMF replaces the DoD Information Assurance Certification and Accreditation Process (DIACAP) and manages the life-cycle cybersecurity risk to DoD IT in accordance with References (g) through (k) We have bee calling it DIARMF for years (because thats what they originally told us the name would be.  But I guess the name will be RMF for DoD IT, or just RMF… I guess. Since we did not know what to call it, we were calling it DIARMF even on resumes.  Technically we should not have called it anything since it did not officially exist for 3 years.  But the thing is that some of us were in the middle of Certification & Accreditation on major projects while they were telling us the ENTIRE process was about to change.

Risk assessment methods are covered in NIST SP 800-30, Risk Management and NIST SP 800-115, Technical Guide to Information Security Testing and Assessment. NIST SP 800-30 covers a high level view framework of risk assessment methods.  As you see in the Risk Assessment Methodology Flowchart. More details on each step in the Risk Assessment method Flow chart.. Its an important aspect of Risk Management as a whole so its talked about over and over on this site. NIST SP 800-115, Technical Guide to Information Security Testing and Assessment, is are the tasks for assessing security controls so it is an important part of risk assessment methods.  You have to know the characteristics of the system (step one of the NIST 800-30, Risk Assessment methods) to do information security testing and assessment. Information security testing in 800-115 uses 3 types of assessment methods to analyze the effectiveness on security controls (Step 4 of Risk Assessment Method flow chart) and possibly identify vulnerabilities (Step 3): testing, examination, and interviewing Testing = process of exercising one or more assessment objects under specific conditions to compare actual and expected behaviors. Examination = process of checking, inspecting, reviewing, observing, studying, or analyzing one or more assessment objects to facilitate understanding, achieve clarification, or obtain evidence. Interviewing = the process of conducting discussions with individuals or groups within an organization to facilitate understanding, achieve clarification, or identify the location of evidence. –NIST SP 800-115  

Organizations with poor planning or a given budget spend more time making excuses than implementing risk management techniques. Risk management techniques can be found in ISO 31000:2009, NIST SP 800-39, ISACA Risk IT Frame work and Canada’s ITSG-33 (see more in risk management principles). The techniques of risk management center around looking at overall organizational security risk and asking the question, “what happens if a threat causes the organization to lose its capability?”  “Are we prepared?” All the standards listed above actually have the same risk management techniques, but the trick is to actually implement the risk management.  You would think that is a no brainer but unfortunately, organizations KNOW what they are supposed to do for due diligence but spend time on making Risk Management Excuses of why they won’t do it rather than how the can spend time or money on risk management techniques. Kudos to the organization that IMPLEMENTS REAL Risk management techniques with continuous monitoring within a realistic budget and not just pass the risk to someone else, or ignore the risk and make excuses with things go wrong.  As a risk management foot soldier, I KNOW how hard this can be.  

@ risk management US Department of Defense takes a run at IT risk management.  In the history of the world there has never been a military power as far reaching and complete as the US armed services.  Is it because they spend over half a trillion dollars on their military which is more than the next 10 nations combined?  hmm.. perhaps. http://www.huffingtonpost.com/2012/08/06/defense-spending-fact-of-the-day_n_1746685.html Or maybe is having over 7ooo nukes?  I am no military expert, so i cannot say for sure.  But I DO know a little something/something about IT Risk Management.  And I think the DoD is really making an honest attempt at risk management… which maybe why its taking them 3+ years to release “DIARMF” (2011 – 2014).  I am proud of them and I am glad they are really trying to take security seriously.  I think that as large, government organizations go they are kind of driving the market on how it can be done. I would NOT say they are the most secure, and I would not say they are perfect by any stretch of the imagination but I would say they have made most improvements in the last 10 years than any large government organization. As the one of the biggest military organizations on the block with the most toy, the most controversy, the most coverage in the media (cira 2000-2014) I would say they are doing pretty good.  

The closest thing to a “NIST Security Framework” is the NIST risk management framework 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems (revision 1) DIARMF is based on this NIST Security Framework.  It has 6 steps: Categorize, Select, Implement, Assess, Authorize and Continuous Monitor. NIST Security Framework NIST Security Framework – Step 1. Categorize The first risk management framework step is categorization.   Categorization is done by the system owner with FIPS 199 and NIST 800-60. NIST Security Framework – Step 2. Select Selection of security controls is done with FIPS 200 and NIST SP 800-53, More on DIARMF – Select NIST Security Framework – Step 3. Implement Using the System Security Plan developed during steps 1 and 2, the organization responsible for the categorized system can begin implementation of the selected security controls. More on DIARMF – Implement NIST Security Framework – Step 4. Assess After the security controls are implemented, step 4 is used to assess those controls.  This is done using NIST SP 800-53A, Guide for Assessing the Security Controls in Federal Information Systems and Organizations. More on DIARMF – Assess NIST Security Framework – Step 5. Authorize In step 5, an Authorizing Official makes a formal, written acceptance of the risks.  More on DIARMF – Authorization NIST Security Framework – Step 6. Continuous Monitoring Maintaining the security posture of the network / system mean doing continuous monitoring. More on DIARMF – Continuous Monitoring  

Info assurance is a comprehensive approach to information security.  It included risk management, information protection, operational risk, business risk, assurance technology and much more. More on “What is Info Assurance”? Information assurance is the practice of assuring the confidentiality, integrity and availability of the processing, storing and/or transmission of data.  Information assurance is used as a more complete approach to information security. Since Info Assurance covers all aspects of the security, all individuals with internal access to an organizations critical access must get info assurance awareness training.  Info Assurance is not just about turning on and configuring Assurance technology, but informing and educating those how have internal access to your system. Info Assurance has its own complete common body of knowledge, industry, career path and degree programs accepted by the National Center of Academic Excellence in Information Assurance Education and those approved by the National Security Agency. By becoming an info assurance specialist you can get work in many parts of the DoD including USAF, US Army, Department of the Navy and many other agencies.  But IA jobs expect specific certification(s), experience and degree.  The IA qualifications come from DoDD 8570 which is being replaced with DoDD 8140.  There are lots of titles that are considered within IA:  System Security Engineer, Info Assurance Analyst, Info Assurance Specialist, Info Assurance Subject Matter Expert (SME), Risk Analyst IT, and many others.