Federal government of the United States – РИСК-АКАДЕМИЯ – АНО ДПО ИСАР

OMB should lead category management efforts to improve contract data, GAO says

riskacademy — Wed, 02 Dec 2020 00:54:59 +0000

Written by

Dave Nyczepir
Dec 1, 2020 | FEDSCOOP

Efforts to improve contract data must be led by the Office of Management and Budget, if its category management initiative is to improve, according to the Government Accountability Office.

GAO found OMB‘s category management initiative focused too much on how to buy things — at the expense of helping agencies determine what goods and services they actually need — when it assessed data for 28 agencies, reviewed guidance for four and interviewed officials.

The category management initiative saved $27.3 billion in three years by having agencies use existing contracts to buy similar products and services like those in the IT Category, but billions more could be saved if OMB pursues governmentwide solutions to data challenges.

“Agency officials told GAO that data challenges—particularly challenges in collecting, analyzing, and sharing data on their spending and the prices they pay—have hindered implementation of the category management initiative,” reads GAO’s congressional report released Monday. “OMB is aware of these…

DHS cyber chief out after debunking Trump’s election claims

riskacademy — Wed, 18 Nov 2020 05:31:36 +0000

“There were massive improprieties and fraud — including dead people voting, Poll Watchers not allowed into polling locations, ‘glitches’ in the voting machines which changed … votes from Trump to Biden, late voting, and many more,” Trump tweeted, though those claims are false. “Therefore, effective immediately, Chris Krebs has been terminated.”

Krebs, one of the few Trump appointees with nearly universal bipartisan support, spent years navigating his new agency through DHS’s leadership turmoil and the administration’s political controversies. At the same time, he built relationships with fellow officials and private security experts to reform and promote the government’s cyber mission.

After rising to become the United States’ de-facto cyber czar in 2018, he became a familiar presence at security conferences, where he discussed threats such as the ransomware epidemic and the risks of Chinese telecom companies such as Huawei. In an administration that constantly defied democratic norms, Krebs became the public face of the government’s election security efforts, highlighting the collaboration between national security officials and election supervisors.

But Krebs’…

OMB sets new CDM data standards deadline for agencies

riskacademy — Mon, 16 Nov 2020 23:24:50 +0000

As with any discussion about cybersecurity, let’s start with the good news.

The Office of Management and Budget continues to live up to its promise to keep new requirements under the Federal Information Security Management Act (FISMA) at a minimum to ensure consistent measurement from year-to-year.

The latest memo from OMB Director Russ Vought outlining requirements for fiscal 2021 is exactly the same as the 2019-2020 memo except for a section about the continuous diagnostics and mitigation (CDM) program.

“At a minimum, Chief Financial Officer (CFO) Act agencies must update their CIO metrics quarterly and non-CFO Act agencies must update their CIO metrics on a semiannual basis,” Vought wrote. “Reflecting the administration’s shift from compliance to risk management, as well as the guidance and requirements outlined in OMB Memorandum M-19-03, Strengthening the Cybersecurity o(Federal Agencies by Enhancing the High Value Asset Program, and Binding Operational Directive 18-02, Securing High Value Assets, CIO metrics are not limited to assessments and capabilities within National Institute of…

DHS Works to Protect National Critical Infrastructure

riskacademy — Sun, 04 Oct 2020 15:58:12 +0000

Last month, the Cybersecurity and Infrastructure Security Agency (CISA), which is part of the U.S. Department of Homeland Security (DHS), published two important resources that deserve special attention. While many of these CISA status reports may seem a bit like “alphabet soup” to those not familiar with the process, the importance of this National Critical Function (NCF) topic is paramount to our joint efforts to protect our nation’s critical infrastructure from numerous threats.

The “NCF: Status Update to the Critical Infrastructure Community” was released directly to stakeholders in July 2020, and the NCF Fact Sheet is new.

The release of this NCF report on progress in protecting our National Critical Functions is ground-breaking. In order to better understand the importance of this topic and dive deeper into what it means, I interviewed Thad Odderstol,…

Memorandum on Space Policy Directive-5-Cybersecurity Principles for Space Systems

riskacademy — Fri, 04 Sep 2020 18:09:27 +0000

SUBJECT: Cybersecurity Principles for Space Systems

Section 1. Background. The United States considers unfettered freedom to operate in space vital to advancing the security, economic prosperity, and scientific knowledge of the Nation. Space systems enable key functions such as global communications; positioning, navigation, and timing; scientific observation; exploration; weather monitoring; and multiple vital national security applications. Therefore, it is essential to protect space systems from cyber incidents in order to prevent disruptions to their ability to provide reliable and efficient contributions to the operations of the Nation’s critical infrastructure.

Space systems are reliant on information systems and networks from design conceptualization through launch and flight operations. Further, the transmission of command and control and mission information between space vehicles and ground networks relies on the use of radio-frequency-dependent wireless communication channels. These systems, networks, and channels can be vulnerable to malicious activities that can deny, degrade, or disrupt space operations, or even destroy satellites.

Examples of malicious…

Cybersecurity Information Sharing Success Stories

riskacademy — Wed, 15 Jul 2020 22:20:44 +0000

The theory behind cybersecurity information sharing is clear and uncontroversial, even if the details of what to share, how best to do it and who to share with may sometimes result in debate and disagreement. The theory goes that organizations are better off sharing information and improving situational awareness than trying to recognize and face cyber threats and challenges on their own. Some collective and coordinated efforts can help to identify, learn about and fend off threats and would-be attackers—as compared to acting individually with less information and situational awareness. That is also a reason why armies gather intelligence, where feasible, before going to battle.

Sharing information about cyber threats, incidents and vulnerabilities has some similarities to the concepts of a “neighborhood watch.” For both, the idea is to observe, gather and share information—including about the tactics, techniques and procedures (TTPs) of attackers—to enable targets to recognize threats and defend better, reducing the likelihood that those attacks and attackers will succeed. In economic terms, we are seeking in part to raise the costs to attackers by using information…