And by this week I mean today, yesterday and part of last week.
It has been exciting though. Agency CIOs will now be required to report to OMB via CyberScope by November 15th. This is all laid out in Memoranda 10-15. My take away: Significant weaknesses don't need to be reported. WTF is that? You have to maintain it on file of course, so that you can provide it upon request.
CIOs are going to report the following:
- Systems and Services
- External Connections
- Security Training and
- Identity Management and Access
That's super, right? There's instructions available here. Eventually, Vivek and Howard want it all in an Excel spreadsheet or XML format and then uploaded. You'll need to submit it monthly starting in January 2011. Sounds to me like someone has bought into the SANS Critical Consensus Whatever. But we know how I feel about that one already.
IGs will also need to report through the old system but on this set of categories:
- Certification and Accreditation
- Configuration Management
- Security Incident Management
- Security Training
- Remediation/Plans of Actions and Milestones
- Remote Access
- Identity Management
- Continuous Monitoring
- Contractor Oversight
- Contingency Planning
I'm not saying that the old process didn't need to be overhauled, but here again the Feds are moving away from a risk-based approach to control monitoring. Bejtlich seems to agree.
In other news, my Dad's agency (Bureau of Engraving and Printing) has had their web site HACKED! OMFG!
Oh wait, not so much. More on it at the Register and the AVG blog. Most importantly, Dad doesn't work on the external web site or in IT for that matter.
The first thing to consider is that the BEP external web site probably got a Low baseline assigned to it. It has also been reported in the Register article that it may be related to the Network Solutions Wordpress hacks of last month. Could very well be, but let us remember that someone should have run a pen test. If they did run a pen test, well then may be its time for a new testing vendor. Panda gives a detailed breakdown.
This is the kind of thing that doesn't inspire confidence in the government's ability to protect information. And while there isn't any data leakage or loss from the site itself, the A portion of CIA has fallen down severely. The web site is still off line as of May 4th, 2010 at 21:45 GMT.