Category Archives: OMB

CISA orders agencies to set up vulnerability disclosure programs

Posted on by

Out of scores of federal civilian agencies, only a handful of them have official programs to work with outside security researchers to find and fix software bugs — a process that is commonplace in the private sector. Now, to put an end to the feet-dragging, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency is giving agencies six months to set up the programs, known as vulnerability disclosure policies (VDPs). CISA on Wednesday issued a directive requiring agencies to establish VDPs that foreswear legal action against researchers who act in good faith, allow participants to submit vulnerability reports anonymously and cover at least one internet-accessible system or service. It’s the latest sign that federal officials are warming to white-hat hackers from various walks of life. “We believe that better security of government computer systems can only be realized when the people are given the opportunity to help,” CISA Assistant Director […]

The post CISA orders agencies to set up vulnerability disclosure programs appeared first on CyberScoop.

Continue reading CISA orders agencies to set up vulnerability disclosure programs

US Government Sites Give Bad Security Advice

Posted on by

Many U.S. government Web sites now carry a message prominently at the top of their home pages meant to help visitors better distinguish between official U.S. government properties and phishing pages. Unfortunately, part of that message is misleading and may help perpetuate a popular misunderstanding about Web site security and trust that phishers have been exploiting for years now. Continue reading US Government Sites Give Bad Security Advice

OMB slams agencies on cyber risk, calls for ‘bold’ new approaches

Posted on by

Nearly three quarters of 96 agencies reviewed by federal officials have cybersecurity programs that are either “at risk” or at “high risk,” meaning “bold approaches” are needed to secure federal networks, according to the Office of Management and Budget. Risk assessments carried out by OMB show that a lack of threat information available to agencies “results in ineffective allocations” of their limited budgets, OMB said in a report released last week. “This situation creates enterprise-wide gaps in network visibility, IT tool and capability standardization, and common operating procedures, all of which negatively impact federal cybersecurity.” In the report, a “high risk” designation means that key cybersecurity policies and tools are either absent or insufficiently deployed, while an “at risk” rating means some key policies are in place to lessen cyber risk, “but significant gaps remain.” An executive order that President Donald Trump signed last year mandated the governmentwide survey of […]

The post OMB slams agencies on cyber risk, calls for ‘bold’ new approaches appeared first on Cyberscoop.

Continue reading OMB slams agencies on cyber risk, calls for ‘bold’ new approaches

From NSTIC to Improved Cybersecurity: U.S. Government Updates ICAM Policy

Posted on by

The following article, authored by Michael Magrath, Director, Global Regulations & Standards, first appeared 4/13/18 on CSO Online. Seven years ago, the Obama Administration published the National Strategy for Trusted Identities in Cyberspace (NST… Continue reading From NSTIC to Improved Cybersecurity: U.S. Government Updates ICAM Policy

White House seeks to tighten identity management in federal agencies

Posted on by

A new White House memo tasks agencies with clamping down on identity security by designating a team of officials from the offices of the chief information officer and chief security officer, among others, to tackle the issue. The Office of Management and Budget draft policy released Friday asks these officials to coordinate regularly to make sure federal Identity, Credential, and Access Management (ICAM) policies are consistently implemented. The proliferation of personal information through social media and data breaches makes verifying identities all the more important for agencies, OMB said. ICAM – a set of measures to prevent unauthorized access to sensitive information – is a staple of cybersecurity, and federal agencies have had to adapt to evolving identity scams from hackers. ICAM took on added importance in the U.S. government after the devastating 2015 Office of Personnel Management breach, in which hackers used compromised credentials to steal information on 22 million […]

The post White House seeks to tighten identity management in federal agencies appeared first on Cyberscoop.

Continue reading White House seeks to tighten identity management in federal agencies

OMB sees risk management efforts slowly coming to fruition

Posted on by

U.S. officials are finally starting to get the real-time situational awareness cybersecurity data they need to make risk management decisions about their networks, a federal advisory panel was told Wednesday. But much of the news isn’t good and they way decisions are handled can have a big impact on the effectiveness of government-wide efforts like the Department of Homeland Security’s Continuous Diagnostics and Monitoring program, officials said. The report on agency risk — one of two required by President Donald Trump’s executive order on cybersecurity  — has been submitted to the president, NIST’s Information Security and Privacy Advisory Board was told. The report on IT modernization was being finalized for submission after an analysis on the report’s public comments, Joshua Moses, from the office of the federal CIO, said. Moses said officials were keen to leverage the EO’s authorities the EO in order to improve measurability and accountability related to agencies’ […]

The post OMB sees risk management efforts slowly coming to fruition appeared first on Cyberscoop.

Continue reading OMB sees risk management efforts slowly coming to fruition

Federal agencies often don’t know who’s attacking them online, OMB says

Posted on by

In nearly a third of the cybersecurity incidents reported to the Department of Homeland Security by federal agencies, there was no information about what kind of attack took place or where it was targeted, officials said Wednesday. In the annual reporting required by the 2014 Federal Information Security Modernization Act or FISMA, “most agencies didn’t have a handle on where the threat was coming from,” White House Office of Management and Budget official Joshua Moses told a federal advisory panel. “Nearly a third of the the incidents that were reported to Homeland Security last year did not have an associated threat vector or attack vector specified in the reporting,” he explained to the Information Security and Privacy Advisory Board during an update on OMB’s cybersecurity activities. Experts say that while it may not matter for the purposes of foiling any one particular attack, knowing the details of an organization’s threat environment — who might be trying to attack […]

The post Federal agencies often don’t know who’s attacking them online, OMB says appeared first on Cyberscoop.

Continue reading Federal agencies often don’t know who’s attacking them online, OMB says

Double role for White House cyber aide shows challenges for new administration

Posted on by

The remarkable decision to have a single official fill two key White House cybersecurity posts has highlighted both the Trump administration’s commitment to securing federal IT networks as a national security priority and its inability to fill key cyber jobs. Grant Schneider, the current deputy federal CISO, who has been acting CISO since his boss left mid-January, will also begin doing the job of senior director within the cybersecurity directorate of the National Security Council staff, the White House let slip this week. The federal CISO job is based in the Office and Management and Budget, which, like the NSC, is within the Executive Office of the President. Several former NSC staffers told CyberScoop the dual-hatting arrangement makes sense in the short term, but they questioned its viability in the long run. The administration made fixing federal government IT systems a priority under the cybersecurity executive order President Trump signed in May. The CISO’s office is operationally responsible for […]

The post Double role for White House cyber aide shows challenges for new administration appeared first on Cyberscoop.

Continue reading Double role for White House cyber aide shows challenges for new administration

Federal CISO to get second hat as National Security Council’s cyber director

Posted on by

Grant Schneider, the acting federal CISO who has been running the shop since his boss left just before the inauguration, is getting a second hat within the White House as a senior director for cybersecurity at the National Security Council, an administration official tells CyberScoop. Schneider will take over one of the “recently vacated senior director positions within the Cybersecurity Directorate on the NSC led by Rob Joyce,” the official said in an email. Schneider is the deputy CISO, but has been acting up since federal CISO Gregory Touhill departed in mid-January. “In order to increase synergy and alignment of national and federal cybersecurity strategy, policy, and guidance,” Schneider will continue to do his job at the Office of Management and Budget, the official added. “He will continue to lead and manage the Federal CISO team at OMB as well as the ‘Homeland’ portfolio within the NSC Cybersecurity Directorate.” That position was most recently filled […]

The post Federal CISO to get second hat as National Security Council’s cyber director appeared first on Cyberscoop.

Continue reading Federal CISO to get second hat as National Security Council’s cyber director