Category Archives: OMB

OMB orders federal agencies to let CISA access defenses of devices, servers

Posted on by

The White House is directing agencies to let the Cybersecurity and Infrastructure Security Agency work with them on their efforts to protect endpoints, such as computer workstations and servers — an area where officials have said the federal government fell short in the SolarWinds hack. The Office of Management and Budget issued a memo on Friday that sets a 90-day deadline for CISA, the main cyber wing of the Department of Homeland Security, to access agencies’ current endpoint detection and response deployments. It then spells out timelines for other steps to improve their endpoint defenses. OMB says the goal is to establish “improved agency capabilities for early detection, response, and remediation of cybersecurity incidents on their networks, using advanced technologies and leading practices.” The memo is an outgrowth of President Joe Biden’s cybersecurity executive order from May. And the focus on endpoints reflects one of the main takeaways from a […]

The post OMB orders federal agencies to let CISA access defenses of devices, servers appeared first on CyberScoop.

Continue reading OMB orders federal agencies to let CISA access defenses of devices, servers

Federal CISO forecasts one of toughest tasks in sweeping Biden cyber executive order

Posted on by

At 34 pages, President Joe Biden’s May executive order on cybersecurity is lengthier than many such White House directives. It’s going to keep federal agencies busy for a long time implementing a host of protective measures, but one might prove a heavier burden, according to Federal Chief Information Security Officer Chris DeRusha. The executive order establishes cybersecurity event log requirements for agencies, meant to improve the government’s ability to investigate and clean-up attacks. “To do monitoring and understand what activity is occurring or has occurred on your network, that’s a huge multi-year exercise that each agency’s going to have to undertake,” DeRusha said during an interview that aired Tuesday as part of CyberTalks, a summit presented by CyberScoop. But it’s a very important part of the order, he said. “When you think about it it’s really a key pillar of … cyber hygiene,” said DeRusha. Under the order, the Homeland […]

The post Federal CISO forecasts one of toughest tasks in sweeping Biden cyber executive order appeared first on CyberScoop.

Continue reading Federal CISO forecasts one of toughest tasks in sweeping Biden cyber executive order

CISA orders agencies to set up vulnerability disclosure programs

Posted on by

Out of scores of federal civilian agencies, only a handful of them have official programs to work with outside security researchers to find and fix software bugs — a process that is commonplace in the private sector. Now, to put an end to the feet-dragging, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency is giving agencies six months to set up the programs, known as vulnerability disclosure policies (VDPs). CISA on Wednesday issued a directive requiring agencies to establish VDPs that foreswear legal action against researchers who act in good faith, allow participants to submit vulnerability reports anonymously and cover at least one internet-accessible system or service. It’s the latest sign that federal officials are warming to white-hat hackers from various walks of life. “We believe that better security of government computer systems can only be realized when the people are given the opportunity to help,” CISA Assistant Director […]

The post CISA orders agencies to set up vulnerability disclosure programs appeared first on CyberScoop.

Continue reading CISA orders agencies to set up vulnerability disclosure programs

US Government Sites Give Bad Security Advice

Posted on by

Many U.S. government Web sites now carry a message prominently at the top of their home pages meant to help visitors better distinguish between official U.S. government properties and phishing pages. Unfortunately, part of that message is misleading and may help perpetuate a popular misunderstanding about Web site security and trust that phishers have been exploiting for years now. Continue reading US Government Sites Give Bad Security Advice

OMB slams agencies on cyber risk, calls for ‘bold’ new approaches

Posted on by

Nearly three quarters of 96 agencies reviewed by federal officials have cybersecurity programs that are either “at risk” or at “high risk,” meaning “bold approaches” are needed to secure federal networks, according to the Office of Management and Budget. Risk assessments carried out by OMB show that a lack of threat information available to agencies “results in ineffective allocations” of their limited budgets, OMB said in a report released last week. “This situation creates enterprise-wide gaps in network visibility, IT tool and capability standardization, and common operating procedures, all of which negatively impact federal cybersecurity.” In the report, a “high risk” designation means that key cybersecurity policies and tools are either absent or insufficiently deployed, while an “at risk” rating means some key policies are in place to lessen cyber risk, “but significant gaps remain.” An executive order that President Donald Trump signed last year mandated the governmentwide survey of […]

The post OMB slams agencies on cyber risk, calls for ‘bold’ new approaches appeared first on Cyberscoop.

Continue reading OMB slams agencies on cyber risk, calls for ‘bold’ new approaches

From NSTIC to Improved Cybersecurity: U.S. Government Updates ICAM Policy

Posted on by

The following article, authored by Michael Magrath, Director, Global Regulations & Standards, first appeared 4/13/18 on CSO Online. Seven years ago, the Obama Administration published the National Strategy for Trusted Identities in Cyberspace (NST… Continue reading From NSTIC to Improved Cybersecurity: U.S. Government Updates ICAM Policy

White House seeks to tighten identity management in federal agencies

Posted on by

A new White House memo tasks agencies with clamping down on identity security by designating a team of officials from the offices of the chief information officer and chief security officer, among others, to tackle the issue. The Office of Management and Budget draft policy released Friday asks these officials to coordinate regularly to make sure federal Identity, Credential, and Access Management (ICAM) policies are consistently implemented. The proliferation of personal information through social media and data breaches makes verifying identities all the more important for agencies, OMB said. ICAM – a set of measures to prevent unauthorized access to sensitive information – is a staple of cybersecurity, and federal agencies have had to adapt to evolving identity scams from hackers. ICAM took on added importance in the U.S. government after the devastating 2015 Office of Personnel Management breach, in which hackers used compromised credentials to steal information on 22 million […]

The post White House seeks to tighten identity management in federal agencies appeared first on Cyberscoop.

Continue reading White House seeks to tighten identity management in federal agencies

OMB sees risk management efforts slowly coming to fruition

Posted on by

U.S. officials are finally starting to get the real-time situational awareness cybersecurity data they need to make risk management decisions about their networks, a federal advisory panel was told Wednesday. But much of the news isn’t good and they way decisions are handled can have a big impact on the effectiveness of government-wide efforts like the Department of Homeland Security’s Continuous Diagnostics and Monitoring program, officials said. The report on agency risk — one of two required by President Donald Trump’s executive order on cybersecurity  — has been submitted to the president, NIST’s Information Security and Privacy Advisory Board was told. The report on IT modernization was being finalized for submission after an analysis on the report’s public comments, Joshua Moses, from the office of the federal CIO, said. Moses said officials were keen to leverage the EO’s authorities the EO in order to improve measurability and accountability related to agencies’ […]

The post OMB sees risk management efforts slowly coming to fruition appeared first on Cyberscoop.

Continue reading OMB sees risk management efforts slowly coming to fruition

Federal agencies often don’t know who’s attacking them online, OMB says

Posted on by

In nearly a third of the cybersecurity incidents reported to the Department of Homeland Security by federal agencies, there was no information about what kind of attack took place or where it was targeted, officials said Wednesday. In the annual reporting required by the 2014 Federal Information Security Modernization Act or FISMA, “most agencies didn’t have a handle on where the threat was coming from,” White House Office of Management and Budget official Joshua Moses told a federal advisory panel. “Nearly a third of the the incidents that were reported to Homeland Security last year did not have an associated threat vector or attack vector specified in the reporting,” he explained to the Information Security and Privacy Advisory Board during an update on OMB’s cybersecurity activities. Experts say that while it may not matter for the purposes of foiling any one particular attack, knowing the details of an organization’s threat environment — who might be trying to attack […]

The post Federal agencies often don’t know who’s attacking them online, OMB says appeared first on Cyberscoop.

Continue reading Federal agencies often don’t know who’s attacking them online, OMB says