The cybersecurity framework released earlier this month by the National Institute of Standards and Technology has the potential to change federal agencies' approach to cybersecurity as well as that of the original intended audience of private sector critical infrastructure companies, said a NIST official. The framework outlines a maturity model of four tiers against which adoptees can benchmark the sophistication of their cybersecurity program.
Now that the cybersecurity framework is out, the National Institute of Standards and Technology says a next step will be to map the alignment of its remaining library of cybersecurity guidance documents to practices called for in the voluntary guidance document.
An advanced persistent threat called Careto, aka the Mask, may be state sponsored, says Kaspersky Lab, the security company that discovered the malware. In a new report (.pdf), the company says the malware is "extremely sophisticated." It works on Windows, Mac and Linux systems, and possibly Android and iOS as well. It can intercept keystrokes, encryption keys, Wi-Fi traffic, Skype conversations and more.
Although the National Institute of Standards and Technology backed down from including a dedicated privacy appendix in the newly released critical infrastructure cybersecurity framework, it hasn't given up on the prospect of including privacy controls in future iterations of the framework. In the final version of the framework released Feb. 12 – final only in the sense that it's version 1.0 of what NIST says will be a "living document" – NIST removed an appendix containing privacy controls included in earlier drafts.
The federal government today released a framework for cybersecurity meant for voluntary adoption within the private sector while acknowledging that work remains to be done in constructing incentives for adoption, and within the framework itself. Framework development has been a year-long effort under the tutelage of NIST, which received a mandate through an cybersecurity executive order.
Secretary Jeh Johnson said in a speech Feb. 7 that "when reform legislation is enacted, DHS must be prepared to implement reform. So to prepare for this potential outcome, I have already directed the deputy secretary of homeland security to coordinate the process, to ensure we are ready to implement the law." The speech, at the Wilson Center in Washington, D.C., was Johnson's first major policy address since his confirmation in December.
A software defect that caused a joint Veterans Affairs and Defense Department self-service benefits portal to display personally identifiable information to other users accessing the system affected no more than 1,362 individuals, a VA officials told a House panel.
Struggles with information technology are the most common management challenges across large agencies, an analysis from the consulting firm Grant Thornton shows. Numerous agencies faced challenges with both IT security and management.
The House Homeland Security Committee approved by unanimous voice vote a cybersecurity bill that would codify the Homeland Security Department's role in federal cybersecurity and require it to work with the private sector on securing critical infrastructure.
Basic cybersecurity measures such as patching, anti-virus software updates and password management are insufficient at federal agencies, leaving government networks vulnerable to even non-sophisticated cyber intrusions, finds a Feb. 4 report.