Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

Homeland Security Releases FISMA Compliance Metrics

The Obama administration, by focusing on continuous monitoring, comes closer to assessing the thoroughness of federal agencies' cybersecurity efforts, says SANS Institute.

Inside DHS' Classified Cyber-Coordination Headquarters
(click image for larger view)
Slideshow: Inside DHS' Classified Cyber-Coordination Headquarters
The Department of Homeland Security (DHS) has released new reporting metrics for agency compliance with the Federal Information Security Management Act (FISMA) that focus on continuous cybersecurity monitoring.

The new metrics should bolster the federal government's strategy to keep closer and more constant track of security vulnerabilities and threats as it moves forward with improvements to overall cybersecurity across agencies.

The annual CIO's FISMA Reporting Metrics report for fiscal year 2011 requires federal agencies to detail progress they've made to automate daily metrics on critical security risks. FISMA is the National Institute of Standards and Technology (NIST) security standard for IT products and solutions used in the federal government, as well as for how agencies comply with cybersecurity requirements.

The 11-page document asks agencies to provide a current inventory of automated monitoring capabilities in overall systems; asset, configuration, vulnerability, identity, and access management; and other categories.

This year's metrics document also contains an entire section asking agencies to report on continuous monitoring itself, asking what percentage of data from various data feeds are being monitored "at appropriate frequencies and levels in the agency," according to the document. Data feeds included in the questioning include application logs, patch status, vulnerability scans, failed logins for privileged accounts, and data loss prevention data, among others.

Over the last couple of years, the Obama administration has required agencies to report on FISMA compliance by asking numerous questions that didn't necessarily address key security concerns.

This year's metrics document, however, moves away from that with a smaller, more focused series of questions on key security controls that address the real objective of FISMA compliance requirements--to assess thoroughness and effectiveness of agencies' cybersecurity efforts.

While not a massive leap forward, this year's FISMA metrics requirements are a step in the right direction to improving overall cybersecurity at federal agencies, according to one cybersecurity expert.

Alan Paller, director of research for the SANS Institute, called the metrics "a huge improvement" that should "result in rapid risk reduction and potentially allow the government to lead by example in showing how to manage cybersecurity effectively." The SANS Institute offers cybersecurity training.

As opposed to previous metrics requirements, the 2011 document assesses agency progress in implementing systems needed for continuous monitoring of key controls defined by agencies and companies--such as the National Security Agency and the DHS itself--that are aware of how cyber attacks are executed and what's needed to block or mitigate them or the damage they cause, he said.

"It's the first time they have included effectiveness measures and a major focus on the 20 critical controls, so it saves agencies millions of dollars by enabling them to use the money on what matters most," Paller said in an interview via email Monday. "That means radically better security."

In the new, all-digital issue of InformationWeek Government: More than half of federal agencies will use cloud computing within 12 months, our new survey finds. Security, ROI, and management challenges await them. Download it now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...