Group items tagged

Be careful what you ask for -- NIST is now sorting through all the public comments related to the cybersecurity executive order and 185 days to get the framework publish.

Read and explore this NIST website. Do you see any products that are you are familar with? Can you determine how this program enhances the security of these products?

After looking through the website, I found the Vendor list for 140-2, which provides what I would think is the complete product list of Vendors and products which meet the standard. A couple items which meet the standard are Microsoft Windows 7 Bitlocker Drive Encryption, and Research In Motions Blackberry Cryptographic Kernel. It is important that the CMV Program is in place within the U.S. If we are going to rely on encryption to keep our secrets safe, then the products we use to encrypt our data, need to be checked to ensure they are secure.

Using the links to the left of the screen, click around the SCAP website and think about how this protocol could help organizations manage their security vulnerabilities. Does your organization use SCAP?

SCORE (System, Component and Operationally Relevant Evaluations) is a unified set of criteria and software tools for defining a performance evaluation approach for complex intelligent systems. It provides a comprehensive evaluation blueprint that assesses the technical performance of a system and its components through isolating and changing variables as well as capturing end-user utility of the system in realistic use-case environments. The SCORE framework has proven to be widely-applicable in nature and equally relevant to technologies ranging from manufacturing to military systems. It has been applied to the evaluation of technologies in DARPA programs that range from soldier-worn sensor on patrol to speech-to-speech translation systems. It is also currently being applied to the assessing the control of autonomous vehicles on a shop floor.

From NIST Tech Beat: June 21, 2011 Most industry executives, military planners, research managers or venture capitalists charged with assessing the potential of an R&D project probably are familiar with the wry twist on Arthur C. Clarke's third law*: "Any sufficiently advanced technology is indistinguishable from a rigged demo."

This standards publication (FIPS 140-2) is a key standard's document. Skim through it and see if you can find some ideas for emerging threats against the standard(s).

Any time you are allowed to introduce code into a program, you have a chance for error. By allowing cryptographic software and firmware to be updated, I think you will always have the chance for emerging threats to be introduced in the form of malware. Recently, the U.S. has stopped allowing the use of Chinese built hardware for certain DOD/ Federal agencies. if we allow the enemy to build the devices we use to form our security foundations, we have already lost the war.

I believe the frequency of review of this policy is untimely to the speed technology advances in. If they could move the review from 5 years to 2 years will suffice. At times, once the policy is published folks are already working on the revision to keep up with technology growth. "Since a standard of this nature must be flexible enough to adapt to advancements and innovations in science and technology, this standard will be reviewed every five years in order to consider new or revised requirements that may be needed to meet technological and economic changes."

Agencies must establish a unique baseline threat assessment and automate monitoring to ensure good cybersecurity, says a SafeGov report released Tuesday.

Safegov has an interesting approach to cybersecurity. I feel the framework an effective way to approach security. Ben

The legislation proposal aims at achieving cybersecurity due to increased network threats in government and in organizations. Educating the public and the use of cyber security technologies have great impacts on government agencies. Our government department comply with NIST and ISO/IEC, and the two bodies help in enhancing privacy and security in the national and international levels. It is important to identify efficient operational, technical and management security controls in a comprehensive computer security plan. Risk assessment in management control assists in identification of risks and in putting up risk assessment policies. Operational controls have their basis on restrictions to access information resources and in user permissions. Sam

For Week 6