FCW Insider

Blog archive

Quick Hits

*** The National Institute of Standards and Technology released version 2.0 of the Risk Management Framework on Dec. 20. Formally titled "Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy," NIST SP 800-37 Revision 2 was developed in response to President Donald Trump's 2017 cybersecurity executive order.

NIST Senior Fellow Ron Ross said on Twitter that "RMF 2.0 is the first framework in the world to address security, privacy, and supply chain risk in an integrated manner--at the organization, mission/business process, and system levels."

*** The Department of Homeland Security will use a group of existing contracts to fulfill its IT needs rather than design a follow-on to EAGLE II. DHS plans to tap vehicles at the General Services Administration and the National Institutes of Health. The move is an effort by DHS to focus on modernizing its IT and on a "drive toward data, accountability, and transparency in our actions,” DHS Chief Procurement Office Soraya Correa said in a statement.

***The Defense Department closed out its third hackathon program, Hack the Air Force 3.0, with 120 valid cybersecurity vulnerabilities found in public-facing Air Force websites and services. The program ran from Oct. 19 through Nov. 22 and resulted in $130,000 in prize money for participating hackers.

This latest program run made the Air Force the first military service to host a bug bounty program three times, HackerOne, which facilitates the program, announced in a Dec. 20 release.

DOD launched its first bug bounty program in 2016 called Hack the Pentagon, an effort that has since spread to all the military services with success. The Defense Department also recently expanded its bug bounty programs, contracting three companies HackerOne, Synack, and BugCrowd for $34 million in October.

Capt. James Thomas of Air Force Digital Services said that bug bounty programs for the Air Force not only helps make systems and websites more secure but helps with talent exposure.

“By opening up these types of challenges to more countries and individuals, we get a wide range of talent and experience we would normally not have access to in order to harden out networks,” Thomas said in a statement.

So far, the Air Force has paid $350,000 in bug bounty rewards for the discovery of more than 430 security vulnerabilities.

*** The Transportation Security Administration needs to get a better handle on its role in securing the nation's energy pipeline infrastructure, according to a Dec. 19 report from the Government Accountability Office. TSA is responsible for security inspections of more than 2.7 million miles of pipeline, infrastructure that is vulnerable to both cyber and physical attack as well as accidents and operator errors. According to GAO, the agency hasn't kept up needed levels of staffing in its pipeline security operations or kept its risk assessment methodology up to date.

Posted on Dec 21, 2018 at 12:30 AM


  • Defense
    Soldiers from the Old Guard test the second iteration of the Integrated Visual Augmentation System (IVAS) capability set during an exercise at Fort Belvoir, VA in Fall 2019. Photo by Courtney Bacon

    IVAS and the future of defense acquisition

    The Army’s Integrated Visual Augmentation System has been in the works for years, but the potentially multibillion deal could mark a paradigm shift in how the Defense Department buys and leverages technology.

  • Cybersecurity
    Deputy Secretary of Homeland Security Alejandro Mayorkas  (U.S. Coast Guard photo by Petty Officer 3rd Class Lora Ratliff)

    Mayorkas announces cyber 'sprints' on ransomware, ICS, workforce

    The Homeland Security secretary announced a series of focused efforts to address issues around ransomware, critical infrastructure and the agency's workforce that will all be launched in the coming weeks.

Stay Connected