The General Services Administration’s FedRAMP program places an emphasis on the need for security in cloud service offerings used by federal agencies in a recent roadmap that outlines four goals for the federal initiative and specific steps to reach them including work with CISA.
The roadmap reflects how the government’s use of the cloud has changed since FedRAMP was created in 2011 and legislation passed in 2022 to codify the FedRAMP program. The Office of Management and Budget...
House Homeland Security Chairman Mark Green (R-TN) is pressing for a floor vote on his bill directing CISA to establish a framework on open source software risks, following an alert from the agency on malicious code found in a widely used data compression library.
CISA issued an alert on Saturday with the “open source community” recommending developers and users downgrade to an uncompromised version of XZ Utils after Red Hat put out an urgent security alert explaining the...
The Education Department has launched a government coordinating council with CISA for educational institutions to improve interagency coordination efforts for boosting the cyber posture of K-12 schools.
“The GCC embodies our commitment to ensuring the cybersecurity of our nation's schools,” Education Deputy Secretary Cindy Marten said in a March 28 announcement.
Marten said, “This initiative represents a monumental step forward in formalizing the partnership between federal, state, and local educational leaders in protecting our K-12 critical infrastructure.”
Private sector organizations should take advantage of parameters laid out in CISA’s notice of proposed rulemaking to establish internal policies for reporting incidents to the cyber agency, according to a leader in the Institute for Security and Technology’s Ransomware Task Force.
“These 18 months are an opportunity for critical infrastructure providers, owners and operators to practice reporting,” IST’s Elizabeth Vish told Inside Cybersecurity.
Vish is IST’s senior director for international cyber engagement and a former State Department official who worked...
The Information Technology and Innovation Foundation emphasizes the need for international cooperation on Internet of Things cybersecurity labeling between the U.S. and European Union, as the Federal Communications Commission works to roll out a program for wireless consumer IoT products.
ITIF in a March 28 report identifies barriers to EU-U.S. alignment on cybersecurity labeling, offers models for translating cooperation and offers recommendations on what is needed for an international agreement to be successful.
Establishing a public-private coregulatory partnership for the water sector is a worthwhile effort, according to Dragos CEO Robert M. Lee, who provided an overview of the challenges the sector faces and laid out potential avenues for effective collaboration.
Lee testified on Feb. 6 in front of the House Homeland Security cyber subcommittee on operational technology issues in the water sector. He advocated on Monday for the federal government to “allow the asset owners and operators a lot of input...
The Pentagon’s latest cyber strategy contains four goals to secure the defense industrial base, including measures to advance the Cybersecurity Maturity Model Certification program and the confidentiality of sensitive defense information held by contractors.
“The DIB Cybersecurity Strategy aims to strengthen collaboration with the DIB and provides strategic guidance for new initiatives to achieve the vision of a secure Defense Industrial Base,” Pentagon deputy CIO for cybersecurity David McKeown said during a March 28 briefing on the strategy.
The Defense Department, the General Services Administration and NASA have issued a final rule establishing a new part in the government’s Federal Acquisition Regulation where future supply chain policies and procedures will be maintained.
“DoD, GSA, and NASA are amending the FAR to add the framework for a new FAR part 40, which will contain the policies and procedures for managing information security and supply chain security when acquiring products and services,” the final rule says. It is scheduled...
Department of Homeland Security official Iranga Kahangama provided an overview at a think tank event of how DHS is working to address nation state cyber and information threats, as well as cyber crime operations, that could have negative impacts on U.S. election infrastructure.
The department aims to “highlight” tactics, techniques and procedures of cyber threat actors, while recognizing that generative AI is going to enable “more precise attempts to phish and get access to campaigns and election infrastructure,” Kahangama said...
The Association of State Drinking Water Administrators is questioning the Biden administration’s latest push for states to bolster cybersecurity at drinking water utilities, warning that a 60-day timeline to develop new plans is unrealistic and amounts to a “quasi-mandate” despite EPA’s framing of the initiative as voluntary.
“There's still some lack of clarity going on here,” ASDWA Executive Director Alan Roberson, told Inside EPA of a March 21 meeting that EPA and the National Security Council convened with state environment,...
CISA’s notice of proposed rulemaking marks an important milestone in establishing mandatory cyber incident reporting that allows for two-way information sharing and provides insights back to stakeholders to improve their security, according to senior DHS and CISA officials.
“We recognize that Congress gave us the mandate to receive these reports from covered critical infrastructure owners and operators but really, we see this legislation and implementation as a two-way street. We as a department must provide value back to the country...
The Office of the National Cyber Director has kicked off a key piece of the national cyber strategy through a legal symposium held on Wednesday to gather input from academic and think tank stakeholders on how to develop software liability protections.
Symposium participants “discussed the advantages and complexities of each approach, with a view towards the ability to operationalize, enforce, and keep up-to-date on a standard of care and potential approaches to a safe harbor for software developers who engage...
The Cybersecurity and Infrastructure Security Agency has published a white paper on how specific members of the software community should approach sharing a Software Bill of Materials, as part of the agency’s community-led efforts to tackle challenges in the software transparency space.
The paper offers a definition for a new “distributor” role in the SBOM sharing process and was developed by the SBOM sharing and exchanging community group facilitated by CISA.
The working group identifies in the white paper...
A new threat report from Google on 2023 exploit trends calls out the People’s Republic of China as the top nation state taking advantage of zero-day vulnerabilities.
“The People’s Republic of China continues to lead the way for government-backed exploitation. PRC cyber espionage groups exploited 12 zero-day vulnerabilities in 2023, up from seven in 2022, more than we were able to attribute to any other state and continuing a trend we’ve observed for multiple years,” the report says.
A task force led by the Cloud Security Alliance and MITRE wants to develop better tools for measuring progress on cybersecurity outcomes for cloud environments as part of its work with the federal government and industry, according to a MITRE cyber engineer participating in the public-private partnership.
“We don't want the cloud to become something that's unsafe for government, and we really want to make sure that the industry is properly armed with the tools that they need...to face the...
A new report from the Institute for Security and Technology provides steps to boost the capacity of CISA’s Joint Cyber Defense Collaborative to maintain long-term engagement with private sector stakeholders and interagency partners in the fight against ransomware.
“JCDC grapples with bureaucratic and institutional challenges within the U.S. government’s multifaceted approach to cybersecurity collaboration, leading to potential confusion among JCDC participants and hampering information sharing and coordination efforts,” IST says in the report released today.
The Treasury Department has released a report providing an overview of opportunities that artificial intelligence presents for the financial services sector and potential challenges where the government could play a role in addressing cybersecurity needs, as more financial firms consider how to use advances in AI for business purposes.
“Applying appropriate risk management principles to AI development is critical from a cybersecurity perspective, as data poisoning, data leakage, and data integrity attacks can take place at any stage of the...
Young women and women who work in non-cyber careers can be empowered to fill critical roles in the cybersecurity workforce through technical exposure and a focus on how to communicate about risk, according to two of the nation’s top cyber officials who participated in a Wednesday webinar highlighting women in national security.
Deputy National Security Advisor Anne Neuberger said women interested in “breaking in” to the cybersecurity field “at a senior level” can succeed by focusing on conveying cyber risks...
The Coalition for Government Procurement is seeking clarity on how the Defense Department will allow external service providers to play a role in achieving compliance with the Pentagon’s Cybersecurity Maturity Model Certification program, in a filing on the proposed rule to implement the program.
“The definitions of ‘External Service Providers’ and ‘Cloud Service Providers’ must be clarified to facilitate continuing access by small and medium-sized businesses, especially, to external security services. Already, a very large percentage of SMBs rely upon...
The National Telecommunications and Information Administration sees net neutrality regulations under consideration at the Federal Communications Commission as important to ensuring the regulatory agency has the authorities it needs to protect national security, in a recent filing to the FCC on the proposed rule.
“As the President’s principal advisor on telecommunications and information policy, NTIA is charged with developing, coordinating, and presenting the Executive Branch’s views to the Federal Communications Commission (FCC or Commission). NTIA is deeply committed to advancing...
