Category Archives: FISMA

What’s lurking in federal mobile tech? Apps, devices could hold nasty surprises.

Posted on by

A discovery by Department of Homeland Security techs shows that federal agencies could get some nasty surprises as they prepare for a new reporting mandate assessing the security of their mobile devices and apps. When security specialists from the DHS Science and Technology Directorate’s mobile security research and development team scanned the MyTSA mobile app, they found hard-coded credentials, program manager Vincent Sritapan said Thursday at the Red Hat Government Symposium presented by FedScoop. “What does this mean? This means … you are exposing the backend,”  Sritapan said, referring to the fact that, in many applications, credentials erroneously hard-coded into the software can be a backdoor into the data that apps collect and to their cloud-based functionality. The MyTSA app is designed to let airline passengers get crowdsourced or historical data about wait-times at airport security checkpoints. It includes a searchable database of items that can and can’t go in checked or carry-on bags. It’s unclear how much or what data was […]

The post What’s lurking in federal mobile tech? Apps, devices could hold nasty surprises. appeared first on Cyberscoop.

Continue reading What’s lurking in federal mobile tech? Apps, devices could hold nasty surprises.

Federal agencies often don’t know who’s attacking them online, OMB says

Posted on by

In nearly a third of the cybersecurity incidents reported to the Department of Homeland Security by federal agencies, there was no information about what kind of attack took place or where it was targeted, officials said Wednesday. In the annual reporting required by the 2014 Federal Information Security Modernization Act or FISMA, “most agencies didn’t have a handle on where the threat was coming from,” White House Office of Management and Budget official Joshua Moses told a federal advisory panel. “Nearly a third of the the incidents that were reported to Homeland Security last year did not have an associated threat vector or attack vector specified in the reporting,” he explained to the Information Security and Privacy Advisory Board during an update on OMB’s cybersecurity activities. Experts say that while it may not matter for the purposes of foiling any one particular attack, knowing the details of an organization’s threat environment — who might be trying to attack […]

The post Federal agencies often don’t know who’s attacking them online, OMB says appeared first on Cyberscoop.

Continue reading Federal agencies often don’t know who’s attacking them online, OMB says

No longer ‘federal,’ no longer exclusively ‘cyber’ — NIST security controls break out

Posted on by

The National Institute of Standards and Technology has removed the word “federal” from the title of its magisterial catalogue of cybersecurity and privacy controls — one of a series of proposed changes they rolled out this week after a long delay. “The reality is, today we’re all of us — federal, state and local government and the private sector — using the same technologies … and facing the same [cyber] threats” as a result, said NIST Fellow Ron Ross. As they were doing the re-write — a year-and-a-half long process — the authors realized that in addition to their traditional “customer base” in the federal agencies mandated by law to use the controls in the catalogue, there were many others who might find it useful. So they changed the name of the catalogue, known as NIST SP-800-53, from Security and Privacy Controls for Federal Information Systems and Organizations, by cutting the word federal. SP 800-53 […]

The post No longer ‘federal,’ no longer exclusively ‘cyber’ — NIST security controls break out appeared first on Cyberscoop.

Continue reading No longer ‘federal,’ no longer exclusively ‘cyber’ — NIST security controls break out

What’s in the NIST cybersecurity controls catalogue update?

Posted on by

NIST Special Publication 800-53 isn’t the most exciting book, but for federal IT managers, the canonical catalogue of cybersecurity controls is like the English Hymnal and the Book of Common Prayer rolled into one. Changes to it are a very big deal. The latest version, put together by top federal scientists from the U.S. National Institute for Standards and Technology, incorporates privacy controls as well, one of its principal authors told CyberScoop. “It’s a leap ahead document,” NIST Cybersecurity Advisor Ron Ross said of the new draft of NIST SP 800-53: “Security and Privacy Controls for Federal Information Systems and Organizations.” Ross and other cyber experts from NIST last week briefed the agency’s Information Security and Privacy Board about the latest, long-awaited set of proposed revisions to the magisterial index of security controls — 800-53 Rev5. SP 800-53 lists the security controls federal managers have to choose from to ensure their IT systems comply with the security standards […]

The post What’s in the NIST cybersecurity controls catalogue update? appeared first on Cyberscoop.

Continue reading What’s in the NIST cybersecurity controls catalogue update?

Legacy IT makes federal agencies less secure, study says

Posted on by

Federal agencies that shift money from maintaining outdated legacy IT systems to modernizing them can expect to see fewer cybersecurity incidents — as can the agencies that migrate legacy systems to the cloud or implement strict data governance policies, according to a new academic study. On average, for each 1 percent of its spending that an agency shifts from maintaining legacy systems to buying new ones, it can expect a 5 percent reduction in the number of security incidents, found the authors of the study “Security Breaches in the U.S. Federal Government.” It was written by two academics from the Fox Business School at Temple University and the Red McCombs School of Business at the University of Texas at Austin and published last week by the Social Science Research Network. The study also found that federal agencies that migrate their legacy IT systems to the cloud suffer fewer security incidents of improper access. And […]

The post Legacy IT makes federal agencies less secure, study says appeared first on Cyberscoop.

Continue reading Legacy IT makes federal agencies less secure, study says

White House releases 2016 agency cyberattack stats, claiming progress

Posted on by

The White House Office of Management and Budget released fiscal 2016 statistics on cybersecurity measures and incidents at U.S. agencies Friday, using new methodologies that make comparison with prior years essentially impossible, but nonetheless saying the government had made progress. For the first time, agencies were required to report only incidents that affected their operations, and to break those incidents down based on the attack vector used. “This is a shift from the previous reporting methodology,” wrote Grant Schneider, the acting federal chief information security officer, in a blog post unveiling the findings. He added that the shift meant “that the FY 2016 incident data is not comparable to prior years’ incident data.” But he stressed the new reporting requirement OMB, the Department of Homeland Security and other agencies “to focus on incidents that may impact operations.” Of the 30,899 incidents that agencies reported, only 16 were determined by agency heads to be “major […]

The post White House releases 2016 agency cyberattack stats, claiming progress appeared first on Cyberscoop.

Continue reading White House releases 2016 agency cyberattack stats, claiming progress