On the DIACAP Knowledge Service goto “C&A Transformation”. This page introduces some of the coming changes from Certification & Accreditation changes to the Risk Management Framework seen in NIST SP 800-37.
DIACAP has “Risk Management Framework Transformation Initiative†underway that provides information on use of NIST SP 800-53, NIST SP 800-37, CNSS Instruction 1253.
The site introduces changes being made to DoDD 8500.01, DoDI 8500.2, DoDI 8510.01 and other documents that will be aligned with NIST 800 and FISMA 2013. They will feature an attempt to keep up with new arising cyberthreats, vulnerabilites and security incidence using real-time, “continuous monitoring†technologies such as HP ArcSight, McAfee ESM, ePO, NSP, Retina, Nessuss and other near real-time active monitoring systems.
road to diarmf
Why DIACAP to DIARMF?
Federal government has gotten more serious about security. They realize that enterprise level security and process is a continuous and expensive business. The old certification & accreditation process is not only long and expensive but so slow that it cannot keep up with the constant changes of information technology.
Risk based/cost effective security means creating security systems and policies that focus on “adequate securityâ€. The Executive Branch Office of Management and Budget (OMB) defines as adequate security, or security commensurate with risk, to include the magnitude of harm resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of information. The feds are also attempting to make the process of implementing and evaluating security controls by creating as much paper-less automation as possible.
note IMHO: Since technology is changing at a rate of what Ray Kurzweil calls “accelerating returns” I think for governments and organizations stuck in “static policy” based systems there is no way they can ever keep up with information technology without revolutionary shift in thinking. Google is probably the closest to understanding what is actually happening. The best any of us can do is observe.
 Source documents for all U.S. Federal information security:
OMB A-130 – Management of Federal Information Resources
FISMA – Federal Information Security Management Act of 2002
Required for all government agencies to develop, document, and implement an agency-wide information security program to provide information security for the information and systems that support the operations and assets of the agency Applies to contractors and other sources.
The federal government has created various acts/laws to implement to changes to the C&A process to a more risk management approach and emphasize a risk-based policy for cost-effective security. These acts include (but are not limited to):
 Federal Information Security Management Act of 2002 (amended as of 2013 April)
The Paperwork Reduction Act of 1995
The Information Technology Management Reform Act of 1996 (Clinger-Cohen Act) supported by Office of Management and Budget (OMB) through Circular A-130, Appendix III, Security of Federal Automated Information Resources
This NIST 800 is a well thought out set of federal security standards that DoD and the Intel world is moving too. It aligns with International Organization for Standardization (ISO) and International Electotechnical Commissions (IEC) 27001:2005, Information Security Management System (ISMS).
who-created-manages-nist-800
NIST 800 is updated and revised by the following organizations:
Joint Task Force Transformation Initiative Interagency (JTFTI) Working Group National Institute of Standards and Technology (NIST)
JTFTI is made up of from the Civil, Defense, and Intelligence Communities. This working group reviews and updates the following documents
    NIST Special Publication 800-37, Revision 1 Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach
   NIST Special Publication 800-39, Enterprise-Wide Risk Management: Organization, Mission, and Information Systems View
   NIST Special Publication 800-53, Revision 3 Recommended Security Controls for Federal Information Systems and Organizations
   NIST Special Publication 800-53A, Revision 1 Guide for Assessing the Security Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans
These core documents are a standard on how to implement FISMA. The organization has done a good job of keeping NIST 800 inline with international standards of ISO 27001. The JTFTI is made up of ODNI, DoD, CNSS. This document is also publicly vetted.
Office of the Director of National Intelligence (ODNI)
The DNI is a position required by Intelligence Reform and Terrorism Prevention Act of 2004. This office serves as adviser to the president, Homeland Security and National Security Counsil as well and director of National Intelligence.
Department of Defense (DoD)
DoD is composed of (but not limited to) the USAF, US Army, DON and Marines. It is the most powerful military organization in recorded history.
Committee on National Security Systems (CNSS)
This committee was created to satisfy National Security Directive 42, “National Policy for the Security of National Security Telecommunications and Information Systems“,
the group has represtatives from NSA, CIA, FBI, DOD, DOJ, DIA and is focused on protecting the US crititcal infrastructure.
DIACAP is transitioning from a Certification and Accreditation to a Risk Management Framework. Most of the new Risk Manager Framework is in the NIST Special Publication 800-37. The old NIST SP 800-37 was also based on Certification and Accreditation. After FISMA 2002, it adjusted to a Risk Management Framework in NIST SP 800-37 Rev 1, Guide for Applying the Risk Management Framework to Federal Information Systems.
diacap-to-diarmf-ca-vs-rmf
NIST SP 800-37 to SP 800-37 rev 1 transformed from a Certification and Accreditation (C&A) process into the six-step Risk Management Framework (RMF). The changes included:
Revised process emphasizes
Building information security capabilities into federal information systems through the application of state-of-the-practice management, operational, and technical security controls
Maintaining awareness of the security state of information systems on an ongoing basis though enhanced monitoring processes
Providing essential information to senior leaders to facilitate decisions regarding the acceptance of risk to organizational operations and assets, individuals, other organizations, and the Nation arising from the operation and use of information systems
Creating separate user accounts is important to the security and privacy of your personal computer. Â Once you create another user you should also password protect each account and disable the guest account if you are not using it.
1. Click Start then go to Control Panel.
2. Under Control Panel, click User Accounts and Family Safety.
Windows 7 – Create User
(Must be Administrator)
3. In User Accounts, hit Add or Remove user accounts.
Create Windows 7 User
4. Below the list of the User accounts. Hit create new accounts to add a new account.
Make sure you create a password as well.
create User Windows 7
Select what type of account you want it to be:  Standard or Administrator.  Remember that a standard user is much safer.  And its perfect if you are making an account that does not require installations and modifications to the operating system.  Standard user account is great for  friends and family.  Be stingy with the administrator account because its susceptible to viruses and misconfigurations.  Only the owner of the system should have an Administrator account.
Information Assurance is based on obtaining a high level of confidence on information’s confidentiality, integrity, and availability. Â Some organizations that deal with “critical information”. Â Critical information included things like banking transactions, classified data, information that is evidence in an ongoing investigation. Â Companies, unions and government that handle this kind of information usually have a lot of exposure because they are handling public data, share holder data, employee data and are doing a lot of translation across the un-trusted networks such as the Internet. Â With critical information and high exposure these organizations MUST have “approved processes” for vetting, testing and validating “approved software” and “approved systems”.
For example, in the Department of Defense there are many lists that have approved software. Â These lists are per command within larger organizations. Â One over arching process/list is the Common Criteria:
Common Criteria is an international standard for validating technical security built in to security feature of information systems. Â The international standard is known as ISO/IEC 15408.
This standard is used by many large organizations all over the world that serve the public:
www.commoncriteriaportal.org
www.commoncriteria.com
Each organization has there own specific security needs so most of the time they have many levels of application approval and process:
NSA / DOD / US Gov - www.niap-ccevs.org - National Information Assurance Partnership (NIAP) uses Common Criteria Evaluation and Validation Scheme (CCEVS) to ensure that only approved Information Assurance (IA)  and IA-Enabled Information Technology (IT) products are used
Canadian Trusted Computer Product Evaluation Criteria UK – www.cesg.gov.uk/servicecatalogue/ccitsec‎
Commercial organizations that want their products used by organization processing and storing critical information must submit to common criteria as well:
Apple – https://ssl.apple.com/support/security/commoncriteria/‎
Microsoft – www.microsoft.com/en-us/sqlserver/common-criteria.aspx‎
8 Tips to Protect Privacy: from those using your computer or account
2013 has been a big year for privacy issues. Â There is a lot of talk about the government’s spying on citizens and usurping certain civil liberties. Â While this is definitely a concern regardless of what country/state you live in, a more immediate threat to your personal privacy are the people actually using your computer and or accounts. Â Friends, family and co-workers that are using the same computer you are using, for example, can do more damage just from seeing something they are not supposed to see. Â At the very least, it can just be embarrassing.
Whether they are just borrowing your system and you trust them is not the point. Â TRUST is not the point. Â Access is the main concern. Â After all they may ACCIDENTALLY see something they are not meant to see. Â Or a trusted friend might allow someone ELSE that you Do NOT trust to use your system. Â So it is really not a matter of TRUST but ACCESS. Â If its easy to access the data then you must assume that they already have or will access, copy, modify this important private data. Â If you value your data and if you are security minded then you must control access.
Here are 8 tips to protect privacy of personal data. Â
courtesy of cubicle chick – privacy tips
1. Create multiple password protected accountsÂ
Your local system should have multiple accounts even if you are sure no one else will log-in directly to the system. Â Multiple accounts allow you to have separate roles. Â An administrator role to install, upgrade and configure and a normal account for surfing the web, creating documents and doing day to day stuff. Â You should not surf the web with your administrator account. Â Each account should be password protected. Â If you surf the web with an admin account you risk your system being compromised by malware that will run as the admin account you are using.
Why delete you browsers cache and history?  And how can deleting that info protect privacy?  Your browser track all your browsing activity by default.  So, if for example, your mom or dad jumps on your computer (and your computer is wide open with no accounts or passwords).  They use YOUR account and YOUR computer to quickly search information about “dictionaries”  As your mom/dad types “Di “ and the word “dick†auto-completes and is something you previously typed.  An innocent search can reveal all the places you have gone if you don’t regularly clear the history and cache from all browsers.
3. Lock Mobile Device
As of 2013, cell phones, tablets, smartphones and some laptop are the biggest gapping whole in protecting privacy. Â Mainly because its fairly new to many people.
If you have a mobile device, chances are high that they have a direct access into your email account.  You must put a automatic lock on your phone so that if you are away from your phone for more than a few minutes.  Or if you lose your mobile device at least whoever finds it won’t have access to all your emails and online accounts.
 4. Use Separate Emails for Separate Uses
To minimize the risk of professional life leaking into personal life (and vice-versa), use separate email accounts for work and home life. Â Especially if the email is tied to a social network. Â If you have a business, you should keep its email traffic separate as well. Â This keep contacts separate, social network posts and the professional and personal life in their own lanes.
5. Encrypt or Delete Files You don’t want Others to See
congress weiner privacy ?
If you have nude photos of yourself its really none of anyone’s business but those you wish to share it with.  Do you have nudes of your significant other? Do you have a drunken video of your BFF’s birthday party?  You should put them in a folder that only you know about and encrypt them.  Better yet, keep them off your computer and encrypted on removable media (thumb drive, CDROM etc).  DO NOT send half nude selfies, titty pictures, nudes or ANYTHING like that over the Internet especially if you have a high profile job.  You really cannot trust anyone to protect your data.  No one cares more about your privacy than you.  If you don’t mind others, your kids, your parents and coworkers seeing your amazing body, then its fine.  Case in point, NY-Congressman Weiner sent very personal pictures of himself to twitter under a different name.  Unfortunately, his opponents found out and used it to get him publicly shamed.  He eventually had to resign as  congressman.  It’s best not to send pictures or sexually explicit text out to anyone.
6. Password protection
Don’t give out your password.  Use strong password (at least 8 characters, UPPER/lowercase, special characters, numbers all mixed in).  Change you passwords immediately if you feel it has been compromised.  Don’t use the same password for every account.
7. Log off
You may need to log-in to your social media website or email from a public or work computer that others will need to use. Â You must get in the habit of logging off. Â If you can, set up the account to automatically lock or log out.
8. Auditing Your Accounts
picture of logs from a computer important in privacy courtest  terminal services log.smartcode.com
Social network accounts allow you to audit the account and send you a message if someone attempts to access your account from a different location or if they        mis-authenticated over and over.  You need to know when someone is attempting to access your personal information.
Did you lock yourself out of your Windows system? Â Forgot your Windows password? Â What is the best Windows password recovery?
The best way is to have a Windows Recovery disc ready. Â But this is something you must do BEFORE you get locked out.
reset-password
There are tools you can use to get into your system, but the first think you should try is to use “Administrator” as the user with no password. Â “Administrator” is a default account on Windows systems. Â On Windows 7 it is disabled by default but if someone has used the account you may be able to use it as backdoor into the system.
If their is not Administrator account and no Windows Recovery disc you will have to use a Windows password recovery tool. Â ONTP&RE is a password recovery tool that allows quick access to windows systems.
2. Â Unzip ONTP&E: Â Files are compressed into 1 folder named ( cd110511.zip). Â Unzip the file.
3.  Create CD with ISO:  Set the cd disc creator into ‘image to  disc’’. Burn the image to the cd.  Each CD burner software is different, so you will have to figure out how to create a CD from the ISO.  Sometimes its as easy as double clicking the ISO but it depends on the type of software.
4. Â Reboot & Insert: Â Actually, you need to make sure your Windows system is able to boot from the CD. Â Once its done , insert the cd back to the CD ROM Â and reboot your computer.
5. Â Computer Boot from CD: Â As your computer reboots, keep hitting F2 to go through the BIOS. Â Select “Boot Options”. Â Some versions of BIOS call this “Boot”. Â But the idea is the same. Â Go into the BIOS and make sure CDROM is on the top of the list for boot options. Â This means that the computer first looks at the CD before going to the Hard Drive. Â Instructions on modifying BIOS settings will be listed on the page.
6.  Boot into ONTRE:  Once the BIOS boot option is set, save and exit.  Your system will boot into your ONTRE disc.  Software will start running. Just follow the steps.  “Press enter” to boot into the “Offline NT Password & Registry Editor” CD.
screen shot of Offline NT Password & Registry Editor
7. Â Select an Account: Â It will ask you to select an account. Â If you hit “Enter” it will automatically boot into the [Administrator] account.
*note: Anything in [brackets] is the default value, so if you hit “Enter” it will auto-magically choose that [bracket] value.. its a linux thing.. you wouldn’t understand.
If you choose the “Administrator” account, you may need to Enable the account since the built-in Administrator account is  disabled by default in certain versions of Windows.
8.  Enable Built-in Administrator Account:  The Windows account  needs to be enabled.  Select 4  and enter ‘to Unlock and enable user Account’.
windows ontpre menu
9. Â Clear (blank) User Password: Â After selecting 4-Unlock and Enable user account, you will be sent back to the User Edit Menu. If you want to clear the Administrator password (if it has one) then hit enter or type Administrator and Select 1 and “Enter” – to clear the user password.
10.  Save Changes:  Once you have made all the changes you want (enabled the Administrator account & cleared any passwords), you are ready for the next step.  Hit  ‘!’ and enter.
Windows ONTP&RE password save change
On the screen it asks ‘What to do’?  hit q to quit. You will see:
Step FOUR: Â Writing back changes
“About to write file(s) back.  Do it ?’’
Hit   Y  and enter to save changes.
11. Â Last Step: Â Hit “Ctrl-Alt-Del” to reboot and eject the cd quickly. Â This will allow the system to boot into Windows on the Hard drive.
You can now login as “Administrator” with NO password.
Once you are in as Administrator you can change passwords of any local accounts in Control Panel | Users.
DISCLAIMER: I have no first hand knowledge of the NSA PRISM program. Â This is just my personal opinion of Edward Swowden’s release of classified information and the impacts.
What is PRISM:
PRISM is the code name for the data collection program which was born out of the Protect America Act.
Recently Mr. Edward Snowden released classified information to the international media and fled the U.S. Â He was working on the PRISM program and felt that the right thing to do was to tell U.S. citizens about their loss of privacy.
snowden-manning-heros
SHH!! Don’t tell anybody this.. but privacy has BEEN gone if you are on Facebook, Google or any other social network. Â These organization are storing our private data. Â But what do these organizations do with that data?
Do they try to protect your data?
Do they sometime release it to third parties?
Can certain data you store on their system be used against you in a court of law?
All of the Above 🙂
Encrypt your data. That is the only real way to have privacy to a trusted party.  Don’t use FB or Google for stuff you want hidden.
The Need for Some Sort of PRISM:
Spies get a very very bad rap lately. Â Analysts are unsung heros. Â It that world nothing is what it seems. Â The media presents one side of everything. Â You have to dig and cross reference to get facts. Â Intelligence provides a proactive answer to security. Â I am speaking from the perspective of someone who has done security defensively. Â There is a need for gathering data within the U.S. infrastructure. Â Once data is gathered, it can be correlated to detect patterns of potential threats.
So I think we MUST have something like PRISM (especially in the US) due to the exposure of our assets and the subsequent likelihood of attack. We have a high risk. Â And the greatest risk is from INSIDERS (ironically enough PRISM cannot protect itself).
There are three main issues with the programs current setup:
1.  Lack of Oversight & Transparency: There seems to be very little transparency and oversight that represents US citizens regarding privacy and controlling how far the government can go.  US Senators are led away from what is really going on.
2. Â Total Information Awareness: Â This system may be too DAMN powerful as far as what it is capable of. Â In fact, it seems to be like using GOD Mode 24/7 to gather information. Â Snowden mentioned that it can track ANY email.. is this on a whim? Â does there need to be some sort of probable cause or “reason to believe” or is this left to the discretion of the guy with his finger on the button.. this leads to the next issue..
3. The Patriot Act II + Protect America Act = Â Its too DAMN politically powerful. Â This program has the legal backing to do anything with NO checks and balances.
Is SNOWDEN A HERO?
Would I call Snowden/Manning heros/martyrs?  I would not group Snowden with Manning.  The information that Snowden released (so far) is showing a the capability of NSA spying (something that was done by whistle blower William Binney in 2002). PVT First Class Bradley Manning leaked a lot of war material that risked a lot of people’s lives:
The problem with this is that it actually endangered the lives of informants, and some people that were on the ground in Afghan/Iraq. Â Manning fucked up big time. Â Snowden is a hacktivist who will have to spend sometime in prison or in Iceland evading the US government unless the American public rallies to sway the politicians.
Whistleblower Protection:
My hope is that there is due care taken on this issue. Because there is a real concern regarding the Constitution, Privacy and uncheck powers of the government. If not, perhaps the next administration will take up the call of the people. Sarbanes–Oxley Act of 2002 has a Whistleblower Protection Act that would be helpful if such a law could apply to Snowden. I am not so sure about that.
Transparency & Accountability
I know their needs to be transparency and accountability. But I think its naive to think that we should release all information on all classified data to the world as the Wikileaks crowd believes. Â
Why?
Organizations & States have an obligation to maintain Confidentiality of critical data.
That means databases with witness protection programs must be kept Confidential, bank transactions must be protected..
Nations have some serious enemies (ESPECIALLY the US). Â The US governments duty is to protect its people from those enemies (foreign or domestic).
Consider this: Â Certain information on the physical/logical locations of weapons systems, pattens on lethal biochemicals, information on the capabilities of a nation are very effective tools in the hands of really bad people.
Its naive to think that opening up all classified data is going to set the world free. Â I wish humanity was in a kinder, gentler situation.. but the reality is some crazy people want to kill as many people as possible.
Yes! I agree that governments with unrestricted power can be MUCH more dangerous. Some transparency with check and balances are necessary.
WAR OF INFORMATION
The post modern war conflict is a fight over ideology. Its less about my nation versus your nation and more and more about belief systems. Â
RIGHT NOW there is someone with the intent to kill as many people as possible. With the capability and opportunity they would strike.  There IS an enemy and they are anywhere and everywhere.  You can no longer point at a map and say “All these people are my enemy.”
Now there is an enemy willing to kill you over what you believe, what you represent and what they think you are. Â And more than likely, THEY are living in your city. Â Who are “THEY”?
Figuring out who THEY are.. is where data mining and correlation comes in.
The threat-source can be from ANY country, race, creed, or religious faction. They are more and more likely to have a citizenship in your country for the sake of having free reign to make the most damage on the most people that represent what they seek to destroy.
Its sounds crazy until a bomb goes off in the middle of a Boston Marathon with the attackers on their way to Time Square. Luckily, there was surveillance to help deter further killings.
How do we fight against these threats?
Threats can be detected via patterns within information.
Solution: Â The government should allow the program manager of the system to explain why its necessary, provide proof of its usefulness. Â Limit the use and extent of PRISMs power.
I hope the president will listen to the Internet community on this. Â I hope that some political party will hear the cries of thousands of potential constituents then take an intelligent look at the public’s concerns. Â Realistically, the American public voted on the reps that backed the laws that created this system. Â They accepted it by proxy. Â But the shock is from the alleged reach of this program. Â Its too bad it took Snowden is risking years away from home and possibly prison for the US to wake up and start talking about something that was leaked years ago.
The AVG secure search toolbar seems to appear out of nowhere and its annoying. Â Its annoying because you probably did not want it. Â AVG is a legitimate anti-virus software, but its search/homepage hijack is a bit pushy. Â I prefer a search engine without AVG on my Chrome browser.
Luckily, AVG allows you to get rid of it in a few clicks.
Select “Restore default new tab” in the far right-hand corner.
Uninstall avg search
Upon selecting “Restore default new tab” you will be led to “AVG security toolbar settings”. Â Deselect “Show AVG Secure Search Box on new tabs in the browser” then select “OK”.
After that, you will need to close the application and reopen it.
