Certification & Accreditation Change

Standard-issue security
Certification and accreditation process for national security systems to extend to the rest of government. A two-year-old effort to standardize processes for certifying and accrediting government IT systems could soon bear fruit, according to officials from several agencies.

The Committee on National Security Systems is preparing instructions for implementing a unified certification and accreditation (C&A) process that could be used on all national security systems, including those in the Defense Department and intelligence community, said Tony Cornish, chairman of the CNSS’ C&A working group.

At the same time, the National Institute of Standards and Technology plans to update its C&A guidance for systems covered by the Federal Information Security Management Act, said Ron Ross, a senior computer scientist and FISMA implementation lead at NIST.

“We are very close to producing a unified C&A process for the entire federal government,” Ross said in July at a government security symposium hosted by Symantec. “Within the next six to eight months, you are going to see a plethora of new things coming out” from CNSS and NIST.

CNSS’ instructions will be incorporated into NIST guidelines in its 800 series of special publications. Ross said a major update of SP 800-53 Rev. 2, “Recommended Security Controls for Federal Information Systems,” is expected in December, and a draft of the first revision of SP 800-37, “Guide for the Security Certification and Accreditation of Federal Information Systems,” is expected to be released for comment soon.

A single, governmentwide approach would make it easier for agencies to share data and cooperate with one another and with states, foreign allies and the private sector.

It could enable reciprocity, or the acceptance of other agencies’ C&A processes, without requiring recertification, and also could streamline acquisition processes by making it easier for vendors and developers to meet one set of standards.

C&A is a process for ensuring that IT systems are operating with an appropriate level of security. In the certification phase, the security of the system is documented; for accreditation, a designated authority signs off on the system’s fitness to go into operation. The concept has been around for some time, but there has been little standardization.

“In the past, we each had our own set of policies, and we didn’t look at each other’s,” said Sherrill Nicely, deputy associate director of national intelligence at the Office of the Director of National Intelligence.

FISMA requires C&A of information technology systems, but that does not apply to national security systems. And within the national security community, the military and intelligence sectors each have had their own way of doing things.

“Since about 1993, the Defense Department had its program, the Defense IT Security Certification and Accreditation Process,” said Eustace King, DOD chief of acquisition and technology oversight. “It worked pretty well” in a time before DOD’s emphasis on network- centric systems and information sharing, but it lacked enterprise visibility.

That C&A program was replaced with the Defense Information Assurance Certification and Accreditation Process. DOD was moving to the program in 2006 to harmonize military and intelligence processes when, a year later, it was expanded to include the rest of the national security community by bringing in the CNSS.

Through NIST, C&A procedures eventually will be standardized across all of government. However, policies do not change mind-sets, and old habits still remain one of the primary challenges to a standardized process. At DOD, there is a reluctance to accept reciprocity — that is, to give full credit to another agency’s C&A process without recertification, King said.

The intelligence community faces a similar hurdle, said Sharon Ehlers, an assistant deputy associate director of national intelligence.

“The cultural change has been the biggest challenge,” Ehlers said. “When it is not invented here, people don’t want to look at it.”

Popularity: 1% [?]

The rise of “intelligent” CCTV

I think its great that we have better technology in security. What is disconcerting are laws like the Patriot Act and FISA bill which take right from citizens for the sake of more security. With this increased technological power in security, there needs to be more balance, but it seems the rights of citizens (particularly privacy and civil liberties) are taking a back seat to all manor of political will. All this powered by the fear of terrorism after 9/11.

I’m not saying we should not be more cautious or more aware. I’m not saying that more security is not necessary. What I am saying is that Taking away liberties is not necessary. And even if you feel it is necessary to spy on all citizens indefinitely to “catch terrorist” shouldn’t there be checks and balances on the watchers. Who will watch the watchers? How will we ensure that their powers are not abused.

New Technologies:
Smart CCTV – There are now smart security cameras with pattern recognition that allow them to alarm when some one does something suspicious such as climb a fence, or put down a bag and walk away. That technology has been developed by companies like ObjectVideo Inc. Defense Advanced Research Products Agency (DARPA) hopes to take it a step further by creating systems that can learn everyday patterns and send alarm when things are outside of their known pattern, also known as anomaly detection.

http://govtsecurity.com/mag/fighting_terror_technology/


read more | digg story

Popularity: 2% [?]

untraceable movie

untraceable movie

I just saw a movie called Untraceable. It is cyberterrorism meets Seven. Although it is very violent, it falls short of the pure “torture porn” genre (i.e. Hostel, Saw). They didn’t sensationalize the FBI computer crime team. They made the characters real people with real problems.

The best part of the movie is that it addresses hard societal questions that we are still struggling with. The killer’s greatest weapon was the Internet itself. He used the anonymity and distributed non-centralized power of the net to broadcast killings on the Internet. Once he captured a victim, he would put them in a contraption that would torture them to death based on how many people came to the site. The FBI is at a loss, because their equipment (while it can easily bait & hunt small time phishers, criminal hackers and adults soliciting sex from kids online) it is useless against this serial killers level of software, Internet, and electronics sophistication. They eventually call upon the NSA, who tell them that they are not allowed to use their resources for domestic issues. With the Patriot Act and NUMEROUS presidential NSA acts, I don’t believe this is entirely true. But the movie seems to suggest that it is.

Although, I disagree with the message of giving more power to the FBI & NSA to catch bad guys (as it would require the loss of more civil liberties of law abiding citizens), I definitely recommend this movie.

Movie fact:

The site used by the killer (www.killwithme.com) actually exists. It’s owned by the movie studio and it’s used to promote the movie. In it, users are taken to a replica of the FBI computer used by the character Jennifer Marsh. Her desktop gets hacked by the killer who provides the visitor with four test he/she must complete to deactivate his site.

Popularity: 3% [?]

Standard Desktop Configuration (SDC) News

The Department of Defense has implemented the Standard Desktop Configuration (SDC) environment which allow all systems to have a uniform level of security. 

ALL SDC all the time: https://afecmo.gunter.af.mil/default.aspx

Now the rest of the federal goverment is jumping on the Information Assurance Bandwagon with something called the Federal Desktop Core Configuration (FDCC).

SDC version 2 (Vista) is already in the works as well as Standard Server Configuration (SCC).

Popularity: 2% [?]