*** The National Institute of Standards and Technology released version 2.0 of the Risk Management Framework on Dec. 20. Formally titled "Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy," NIST SP 800-37 Revision 2 was developed in response to President Donald Trump's 2017 cybersecurity executive order.
NIST Senior Fellow Ron Ross said on Twitter that "RMF 2.0 is the first framework in the world to address security, privacy, and supply chain risk in an integrated manner--at the organization, mission/business process, and system levels."
*** The Department of Homeland Security will use a group of existing contracts to fulfill its IT needs rather than design a follow-on to EAGLE II. DHS plans to tap vehicles at the General Services Administration and the National Institutes of Health. The move is an effort by DHS to focus on modernizing its IT and on a "drive toward data, accountability, and transparency in our actions,” DHS Chief Procurement Office Soraya Correa said in a statement.
***The Defense Department closed out its third hackathon program, Hack the Air Force 3.0, with 120 valid cybersecurity vulnerabilities found in public-facing Air Force websites and services. The program ran from Oct. 19 through Nov. 22 and resulted in $130,000 in prize money for participating hackers.
This latest program run made the Air Force the first military service to host a bug bounty program three times, HackerOne, which facilitates the program, announced in a Dec. 20 release.
DOD launched its first bug bounty program in 2016 called Hack the Pentagon, an effort that has since spread to all the military services with success. The Defense Department also recently expanded its bug bounty programs, contracting three companies HackerOne, Synack, and BugCrowd for $34 million in October.
Capt. James Thomas of Air Force Digital Services said that bug bounty programs for the Air Force not only helps make systems and websites more secure but helps with talent exposure.
“By opening up these types of challenges to more countries and individuals, we get a wide range of talent and experience we would normally not have access to in order to harden out networks,” Thomas said in a statement.
So far, the Air Force has paid $350,000 in bug bounty rewards for the discovery of more than 430 security vulnerabilities.
*** The Transportation Security Administration needs to get a better handle on its role in securing the nation's energy pipeline infrastructure, according to a Dec. 19 report from the Government Accountability Office. TSA is responsible for security inspections of more than 2.7 million miles of pipeline, infrastructure that is vulnerable to both cyber and physical attack as well as accidents and operator errors. According to GAO, the agency hasn't kept up needed levels of staffing in its pipeline security operations or kept its risk assessment methodology up to date.
Posted on Dec 21, 2018 at 12:30 AM