Zeneth Cybersecurity Newsletter – December 2017
(Feature image taken by Dan Waddell of Zeneth Technlogy Partners. All Rights Reserved. Use outside of this website is not permitted without express written permission.)
—
Greetings and welcome to the first edition of the Zeneth Cybersecurity Newsletter. If you have any feedback to share, please let us know by sending us an email to info@zenethtechpartners.com.
We collect these links periodically in order to help keep our readers updated on what is happening in federal cybersecurity here in the Nation’s Capital. Note that some sub links will take you to sponsored or paid content. Disseminating this information is not an endorsement of any publication, nor does Zeneth receive any benefit whatsoever from posting them here.
—
Federal News Radio
How DHS, DoD sharpen their cyber pencils to make the right investments
Fedscoop
OPM CISO Cord Chase: ‘Cyber is just a support role’ to IT modernization
The third Congressional Hackathon tackles openness and faith in government
Cyberscoop
Why Eugene Kaspersky keeps talking about ‘Project Sauron’
Former NSA employee pleads guilty to taking classified information home
Politico
Surveillance bill could hitch a ride (and other thoughts)
NIST
(ISC)² Weekly Security Headlines
AS CYBER GROWS MORE POPULAR, SO DO TECHNIQUES FOR DEVELOPING SECURITY SKILLS
Legislation Tracker
HR 1981 Cyber Security Education and Federal Workforce Enhancement Act (4/25/2017)
Status-Introduced to the House on Apr 6, 2017
This bill amends the Homeland Security Act of 2002 to establish within the Department of Homeland Security (DHS) an Office of Cybersecurity Education and Awareness Branch to make recommendations to DHS regarding: (1) recruitment of information assurance, cybersecurity, and computer security professionals; (2) grants, training programs, and other support for kindergarten through grade 12, secondary, and post-secondary computer security education programs; (3) guest lecturer programs in which professional computer security experts lecture computer science students at institutions of higher education; (4) youth training programs for students to work in part-time or summer positions at federal agencies; and (5) programs to support underrepresented minorities in computer security fields with programs at minority-serving institutions and rural colleges and universities.
DHS must provide matching funds to local educational agencies for after-school programs dedicated to science, technology, engineering, and math (STEM).
The bill provides for the establishment of:
- a Research K-12 Science and Technology Education Board of Advisors;
- a Computing and Information Security Post-Secondary Education Working Group to assist DHS in developing voluntary guidelines for federal civil agency training programs, certification authorities, and accreditation bodies;
- a Post-Secondary Laboratory Research Development Task Force to recommend best practices for college and university laboratory facilities;
- an Office of Computing and Information Security Professional’s Mentoring Program;
- a program under which DHS may designate Centers of Academic Computer and Information Assurance Distinction;
- programs in conjunction with the National Science Foundation (NSF) to award grants for cybersecurity and information security professional development programs and degrees; and
- an E-Security Fellows Program to facilitate participation in DHS’s National Cybersecurity Division.
DHS may make grants to post-secondary institutions to equip computer laboratories for teaching and research purposes.
The NSF must report to Congress regarding the causes of the high dropout rates of women and minority students enrolled in STEM programs.
HR 1224—NIST Cybersecurity Framework, Assessment and Auditing Act of 2017
Status-The committees assigned to this bill sent it to the House as a whole for consideration on March 1, 2017
This bill amends the National Institute of Standards and Technology Act to require the National Institute of Standards and Technology (NIST), in developing standards for information systems, to emphasize the principle that expanding cybersecurity threats require: (1) engineering security from the beginning of a system’s life cycle, (2) building more trustworthy and secure components and systems from the start, and (3) applying well-defined security design principles throughout systems.NIST must provide guidance for agencies to incorporate into their information security risk management efforts the Framework for Improving Critical Infrastructure Cybersecurity (Framework). Such guidance shall:
- describe how the Framework aligns or augments existing agency practices;
- identify any areas of conflict or overlap between the Framework and existing cybersecurity requirements;
- include a template for federal agencies on how to use the Framework and recommend procedures for streamlining and harmonizing existing and future cybersecurity-related requirements;
- recommend other procedures for compliance with cybersecurity reporting, oversight, and policy review; and
- be updated to reflect what NIST learns from ongoing research, cybersecurity audits, information compiled by the federal working group, and annual reports.
NIST must chair a federal working group to coordinate the development of metrics and tools to measure the effectiveness of the Framework for federal agencies protecting their information and information systems.
The federal working group must assist the Office of Management and Budget (OMB) and Office of Science and Technology Policy (OSTP) in publishing annual reports on agency adoption rates and the effectiveness of the Framework.
NIST must initiate an individual cybersecurity audit of certain agencies to assess the extent to which each agency meets information security standards. NIST shall prepare a needs-based plan for the audits that includes: (1) a description of staffing plans, (2) workforce capabilities, (3) methods of conducting such audits, (4) coordination with agencies to support such audits, (5) expected timeframe for the completion of the audits, and (6) other relevant information.
NIST must report on the audit of each agency to: (1) OMB, (2) the OSTP, (3) the Government Accountability Office, (4) the agency being audited and its inspector general, and (5) Congress
HR 584 Cyber Preparedness Act of 2017 (passed House 1/31/2017)
Status-This bill passed in the House on January 31, 2017. Currently in committee in Senate.
This bill amends the Homeland Security Act of 2002 to require the Department of Homeland Security’s (DHS’s) State, Local, and Regional Fusion Center Initiative to coordinate with the national cybersecurity and communications integration center (NCCIC) to provide state, local, and regional fusion centers with expertise on DHS cybersecurity resources. (A fusion center serves as a focal point within the state and local environment for the receipt, analysis, gathering, and sharing of threat-related information between the federal government and state, local, tribal, territorial, and private sector partners.)
DHS must: (1) provide timely access to technical assistance, risk management support, and incident response capabilities for cybersecurity threat indicators, defensive measures, risks, and incidents, including cybersecurity risks to equipment and technology related to the electoral process; (2) review cybersecurity risk information gathered by fusion centers to incorporate into DHS’s cybersecurity risk information; and (3) disseminate cybersecurity risk information to fusion centers.
Fusion center officers or intelligence analysts may be assigned from the NCCIC. Such officers and analysts must assist fusion centers in using cybersecurity risk information to develop a comprehensive and accurate threat picture.
The NCCIC may include, and must share analysis and best practices with, state and major urban area fusion centers.
States, local or tribal governments, or high-risk urban areas receiving grants to protect against terrorism under the Urban Area Security Initiative or the State Homeland Security Grant Program may use the funds to: (1) prepare for and respond to cybersecurity risks and incidents, and (2) develop statewide cyber threat information analysis and dissemination activities.
The bill expresses the sense of Congress that DHS should share actionable information related to cyber threats in an unclassified form to facilitate timely dissemination to state, local, and private sector stakeholders.
S.412 State and Local Cyber Protection Act of 2017
Status-Introduced to the House on February 16, 2017.
This bill amends the Homeland Security Act of 2002 to require the Department of Homeland Security’s (DHS’s) national cybersecurity and communications integration center (NCCIC) to assist state and local governments with cybersecurity by:
- upon request, identifying system vulnerabilities and information security protections to address unauthorized access, use, disclosure, disruption, modification, or destruction of information collected or maintained by, or information systems used or operated by, state or local governments or other organizations or contractors on their behalf;
- providing via a web portal updated resources and guidelines related to information security;
- coordinating through national associations to implement information security tools and policies to ensure the resiliency of state and local information systems;
- providing training on cybersecurity, privacy, and civil liberties;
- providing requested technical assistance to deploy technology that continuously diagnoses and mitigates cyber threats and to conduct threat and vulnerability assessments;
- coordinating vulnerability disclosures under standards developed by the National Institute of Standards and Technology; and
- ensuring that state and local governments are aware of DHS resources and other federal tools to ensure the security and resiliency of federal civilian information systems.
The NCCIC’s privacy and civil liberties training must include: (1) reasonable limits on the receipt, retention, use, and disclosure of information associated with specific persons that is not necessary for cybersecurity purposes; (2) data integrity standards requiring the prompt removal and destruction of obsolete or erroneous names and personal information that is unrelated to the risk or incident information; (3) safeguards and confidentiality protections for cyber threat indicators and defensive measures, including information that is proprietary or business-sensitive that may be used to identify specific persons from unauthorized access or acquisition; and (4) methods to ensure that obtained information is used only to address cybersecurity risks and threats or as specifically authorized by law.
The NCCIC must seek feedback from state and local governments on the effectiveness of such activities and provide such information to Congress
Main Street Cybersecurity Act of 2017
Status-Passed Senate (House next) on Sep 28, 2017
This bill amends the National Institute of Standards and Technology Act to require the National Institute of Standards and Technology (NIST) to consider small businesses when it facilitates and supports the development of voluntary, consensus-based, industry-led guidelines and procedures to cost-effectively reduce cyber risks to critical infrastructure.
NIST must disseminate, and publish on its website, standard and method resources that small business may use voluntarily to help reduce their cybersecurity risks. The resources must be: (1) technology-neutral, (2) based on international standards to the extent possible, (3) able to vary with the nature and size of the implementing small business and the sensitivity of the data collected or stored on the information systems, and (4) consistent with the national cybersecurity awareness and education program under the Cybersecurity Enhancement Act of 2014.
Other federal agencies that NIST considers appropriate must also publish the resources on their own websites.
HR 1344—State Cyber Resiliency Act
Status-Introduced in House 3/2/2017
This bill requires the Federal Emergency Management Agency (FEMA) to administer a State Cyber Resiliency Grant Program to assist state, local, and tribal governments in preventing, preparing for, protecting against, and responding to cyber threats.
The Department of Homeland Security (DHS) may award states with planning and biennial implementation grants under the program to:
- adopt cybersecurity best practices;
- mitigate talent gaps in government workforces;
- protect public safety answering points, emergency communications, and continuity of communications during catastrophic disruption;
- mitigate threats to critical infrastructure or key resources;
- coordinate with neighboring states or countries, National Guard units, or information sharing and analysis organizations; and
- establish scholarships or apprenticeships to provide financial assistance to state residents pursuing cybersecurity education who commit to working for state government.
The bill sets forth requirements for distribution of awarded amounts to local and tribal governments within states and for consultation with local and regional officials.
The Committee for Cyber Resiliency Grants is established to: (1) promulgate guidance for states to develop applications for such cyber resiliency grants; (2) provide DHS and states with recommendations regarding the approval of state plans or applications; and (3) evaluate, and report to Congress regarding, the progress of states in implementing plans.
HR 1340 Interagency Cybersecurity Cooperation Act
Status-Introduced to the House 3/2/2017
This bill requires the Federal Communications Commission (FCC) to establish the Interagency Communications Security Committee as an advisory committee to:
- review communications security reports from federal agencies and communications network providers (wireline or mobile telephone service, Internet access service, radio or television broadcasting, cable service, direct broadcast satellite service, or other communications services);
- recommend investigation by relevant agencies into any such report; and
- issue to Congress regular reports containing the results of any such investigation, the committee’s findings following each communications security incident, and policy recommendations that may arise from each communications security incident;
- Every three months, agencies must submit to the committee a report of each communications security incident compromising a telecommunications system that resulted in: (1) government-held or private information being viewed or extracted, or (2) outside programming on an agency computer or electronic device.
The bill requires communications networks to be treated as critical infrastructure and protected systems under the Homeland Security Act of 2002. The FCC is subject to the same requirements as the Department of Homeland Security concerning the protection of critical infrastructure information relating to communications networks that is voluntarily submitted to the FCC.
HR 2184-Cyber Scholarship Opportunities Act of 2017
Status-Introduced to the House 4/27/2017, Ordered Reported — Aug 2, 2017
This bill amends the Cybersecurity Enhancement Act of 2014 to require the federal cyber scholarship-for-service program that the National Science Foundation (NSF) coordinates with the Department of Homeland Security to include scholarship recipients who are students pursuing an associate’s degree in a cybersecurity field without the intent of transferring to a bachelor’s degree program and who either have a bachelor’s degree already or are veterans of the Armed Forces.
The post-award employment obligations of scholarship recipients pursuing a doctoral or master’s degree may include work at an institution of higher education or for a local educational agency teaching cybersecurity skills.
Scholarship eligibility factors are revised to include: (1) an individual’s skills and abilities under the National Institute of Standards and Technology’s national cybersecurity awareness and education program, and (2) students pursuing a degree on a less than full-time but not less than half-time basis.
The NSF must work with the Office of Personnel Management to consolidate information about cyber scholarships programs and job opportunities into a single online resource center.
The NSF may carry out a program to improve cybersecurity education at the K-12 level.
The NSF may: (1) grant exceptions from the post-award employment obligations to students who agree to work in a critical infrastructure mission at a federal government corporation or a state, local, or tribal government-affiliated component of a critical infrastructure sector; or (2) develop a pilot program to enhance critical infrastructure protection training for students pursuing careers in cybersecurity.
—
At Zeneth, we offer our federal and commercial clients information technology and security services that enable and optimize our client’s business processes by ensuring Confidentiality, Integrity and Availability. Our experienced team has led a variety of successful engagements in areas such as program management, application development, acquisition and strategic sourcing which provides Zeneth a holistic perspective to solve your security challenges.
—
Visit us online at:
Follow us on Twitter at:
https://twitter.com/ZenethTechHQ
Follow us on LinkedIn at: