The threat of another government shutdown in fiscal 2019 has come and gone, but lawmakers on both sides of the aisle aren’t giving up their push to secure a few more financial flexibilities for participants in the Thrift Savings Plan during future lapses in appropriations.

Sen. Bill Cassidy (R-La.) is the latest member of Congress to introduce legislation that would waive the typical penalty that TSP participants would usually incur if they take a hardship withdrawal before a certain age.

Cassidy’s bill essentially mimics language that the Federal Retirement Thrift Investment Board, the agency that administers the TSP, had written following 2017’s devastating hurricane season. The legislation would treat a government shutdown as a financial hardship and allow current federal employees under the age of 59-and-a-half to withdraw from their TSP accounts without incurring a 10 percent early withdrawal penalty tax.

With Cassidy’s bill, there are now five pieces of legislation that aim to accomplish this similar goal. The bills would also let TSP participants repay the hardship loans under certain deadlines and parameters.

The FRTIB is still working with congressional staffers to change the original legislative text to something the agency can implement, said Kim Weaver, director for external affairs.

Reps. Pete Olson (R-Texas), Don Beyer (D-Va.), Ed Perlmutter (D-Colo.) and Elaine Luria (D-Va.), along with Sens. Tim Kaine (D-Va.), Ron Wyden (D-Ore.), Patty Murray (D-Wash.) and Susan Collins (R-Maine), were among the members who had originally introduced or co-sponsored one of these bills.

“The bills are going to be amended as they move forward,” Weaver said at the board’s monthly meeting Monday. “I’m told by staff on both sides that they intend to get this type of legislation in permanent law. If there’s another government shutdown come Oct. 1, which would be the next opportunity, [we don’t want] this scramble we experienced in January.”

From Weaver’s perspective, there’s bipartisan, bicameral support for some sort of legislation in this Congress regardless of the timing of the next government shutdown, though she said it’s unclear which bill would be the most likely to move forward.

Meanwhile, the FRTIB is still noticing the impact of the 35-day government shutdown in other ways.

The FRTIB saw a 25 percent jump in hardship withdrawals in January. New loan requests, however,  at this point are stable.

The agency also saw a lower than usual increase in participation to the Federal Employee Retirement System (FERS) last month. The FERS participation rates went up just less than 1 percent in January, meaning that 90.3 percent of FERS employees deferred money to the Thrift Savings Plan that month.

“We’re attributing that to the furlough,” Tee Ramos, FRTIB’s director of participant service, said. “There are several organizations where we derive our numbers, and there were several organizations that didn’t have payroll for that month.”

Auditor finds TSP cybersecurity lacking

The TSP is still struggling with its cybersecurity posture and hasn’t fully developed and implemented an effective information security program, according to the most recent results of an independent Federal Information Security Modernization Act (FISMA) audit.

The FRTIB has been struggling to meet FISMA requirements since at least fiscal 2016, when the agency conducted its first-ever such audit. The agency suffered a cyber breach back in 2012, when hackers accessed personal information for 123,000 TSP participants through one of its contractors.

Using the FISMA maturity model, an independent auditor considered three out of eight domains as “defined.” The remaining five are still considered “ad-hoc,” meaning most FRTIB security policies and procedures aren’t formalized and still reactive in nature.

The FRTIB doesn’t have an inspector general and uses an independent consultant, Williams Adley in this case, to review the agency’s compliance.

Data protection and privacy, identity and access management and configuration management were among the three domains that moved up a notch on the FISMA model rating this past year, according to the Williams Adley audit.

“Many initiatives were in place during the year, but by the time our assessment had concluded, those initiatives were either not completed or they had just recently been completed and we weren’t able to assess the level of completion,” the auditors said at Monday’s board meeting.

Both the agency and the auditors were relatively confident the FRTIB’s cyber posture would, in fact, continue to improve in the coming years. The agency has had one permanent chief technology officer (CTO) on board for nearly a full year now, who’s leading the FRTIB’s FISMA response strategy.

The agency also found a deputy CTO and formed an enterprise risk management steering committee, which has a direct reporting line to FRTIB management and the executive director.

Williams Adley told the board it sees signs that more secure leadership, along with the FRTIB’s improvement strategy, demonstrate that the agency is thinking about cybersecurity in a different way.

Patrick Bevill, the FRTIB’s relatively new chief information security officer, said the agency would segment “cure activities” into 90-day, six month and one-year blocks for the eight FISMA domains. The goal is to bring all domains to the “consistently implemented” level by at least 2020.

Source

Latest version includes shift to industry-agnostic approach and Singapore’s Personal Data Protection Act  

HITRUST today announced the release of version 9.2 of the HITRUST CSF.

This version integrates Singapore’s Personal Data Protection Act (PDPA) into the HITRUST CSF and includes additional plain language interpretations of relevant articles and recitals from the European Union’s General Data Protection Regulation (GDPR). Further, the HITRUST CSF Control Category for Privacy Practices has been revised significantly to support the placement of HIPAA-specific requirements in a separate segment in all categories, marking a shift to a more industry-agnostic approach for the HITRUST CSF and to better align with existing international privacy frameworks.

Designating HIPAA as a standalone segment creates no impact to healthcare organizations beyond the need to select their industry when conducting an assessment.

These updates reflect HITRUST’s continuing commitment to facilitate HITRUST CSF’s adoption in multiple industries, both domestically and internationally. HITRUST ensures the HITRUST CSF stays relevant and current to the needs of organizations by regularly updating the framework to incorporate new standards and regulations as authoritative sources.

HITRUST’s market-leading risk management and compliance framework – a key component of the HITRUST Approach – integrates and cross-references multiple authoritative sources such as ISO, NIST, PCI, and HIPAA. The HITRUST CSF provides the depth and breadth of controls organizations need to efficiently and effectively assess the strength of their risk-based protection programs and their compliance with multiple regimes through one assessment.

The post HITRUST Releases Expanded CSF v9.2 appeared first on HITRUST.

Source

Frisco, TX, January 15, 2019 – HITRUST, in collaboration with the Quality Subcommittee of the HITRUST CSF Assessor Council, is announcing updates to the HITRUST CSF Assurance Program to provide greater transparency and ensure continued integrity relating to HITRUST CSF Assessments.

The HITRUST CSF Assurance Program is governed by a comprehensive set of requirements, which are regularly reviewed, and updates are key in maintaining the robust nature of the Program that provides unmatched reliability to internal and external stakeholders.

HITRUST established and maintains the standard for providing integrity, transparency, accuracy and scalability of information risk management reporting through its HITRUST CSF Assurance Program which delivers efficiencies and cost savings to the assessed organization through its ‘assess once – report many’ approach. Most standards and frameworks lack an assurance program, which creates inconsistency of results and a lack of transparency and validity. With the HITRUST CSF Assurance Program, management, as well as external audiences, such as clients, vendors and regulators can be assured of a high degree of accuracy, consistency and comprehensiveness of the information privacy and security controls reported in the HITRUST CSF Assessment report.

The updates to the HITRUST CSF Assurance Program being released today include:

  1. Ensuring clarity of scope of an assessment – HITRUST Assurance Advisory 2019-01. Updated assessment scoping guidance will require assessors, working with the assessed entity, to include a more detailed description of each system covered in the assessment as well as specific details on the components for each system (e.g., operating system, database system); service offerings included in the system; and specifications for each service offering, such as what is in scope, what is not in scope, and what is partially in scope.
  2. Change regarding the number of qualified HITRUST Certified CSF Practitioner (CCSFP) hours for HITRUST CSF Validated Assessments – HITRUST Assurance Advisory 2019-02. Changed to increase the CCSFP resources requirement on an assessment to at least 50% of assessment hours to ensure qualifications of resources performing assessments.
  3. Providing direction for HITRUST Approved Assessor Organizations –HITRUST Assurance Advisory 2019-03Additional guidance relating to assessor test plans and aligning those plans to HITRUST CSF implementation requirement statements. Including guidance on acceptable documentation to support the activities and procedures that were performed.
  1. Changes to further ensure HITRUST Approved Assessor quality and consistency – HITRUST Assurance Advisory 2019-04Changes to clarify the current requirement for assessors to perform independent quality assurance (QA) reviews of the assessment results, in addition to providing additional required training to those performing the QA review, and the completion of a checklist by the engagement executive and QA reviewer.
  1. Changes related to Interim Reviews – HITRUST Assurance Advisory 2019- 05Changes the name ‘Interim Reviews’ to ‘Interim Assessments’ and outlines additional rigor and assurance around the process, in addition to Interim Assessments must be performed within the HITRUST MyCSF tool.

Click here to find a complete list of HITRUST Assurance Advisories.

About HITRUST CSF Assessor Council – Quality Subcommittee

Established in January 2017, the Quality Subcommittee of the HITRUST CSF Assessor Council consists of industry leaders committed to ensuring the reliability of HITRUST assessments who periodically review industry standards to provide guidance to improve assessment criteria.

For inquiries regarding these updates, please contact us at support@hitrustalliance.net.

The post Notice of HITRUST CSF Assurance Program Updates appeared first on HITRUST.

Source

Current and former NASA employees are at risk of identity theft after the space agency discovered a cyber attack.

On Oct. 23, NASA found one of its servers containing personal data, including social security numbers, suffered a data breach.

“The agency will provide identity protection services to all potentially affected individuals,” said a NASA spokeswoman in an email to Federal News Network. “NASA does not believe that any agency missions were jeopardized by the intrusions. Once discovered, NASA took immediate action to secure the impacted servers and has been working to perform a forensic analysis since then — this process will take time. The ongoing investigation is a top NASA priority.”

SpaceRef first reported the cyber attack and loss of data.

NASA didn’t say how many employees were impacted by this data breach, but said in a Dec. 18 memo from Bob Gibbs, the assistant administrator and chief human capital officer, that the attack affected those who worked at NASA for a 12-year period.

“Those NASA civil service employees who were on-boarded, separated from the agency, and/or transferred between centers, from July 2006 to October 2018, may have been affected,” Gibbs writes. “Once identified, NASA will provide specific follow-up information to those employees, past and present, whose PII was affected, to include offering identity protection services and related resources, as appropriate.”

Systemic cyber challenges?

This data breach is the most recent example of NASA’s continued cybersecurity challenges.

NASA’s inspector general found in May that its security operations center has “fallen short of its original intent to serve as NASA’s cybersecurity nerve center. Due in part to the agency’s failure to develop an effective IT governance structure, the lack of necessary authorities, and frequent turnover in [Office of the Chief Information Officer] leadership, these shortcomings have detrimentally affected SOC operations, limiting its ability to coordinate the agency’s IT security oversight and develop new capabilities to address emerging cyber threats. In sum, the SOC lacks the key structural building blocks necessary to effectively meet its IT security responsibilities.”

In the fiscal 2017 report on the Federal Information Security Management Act (FISMA)—the 2018 report isn’t out yet—the IG found NASA’s cyber posture is considered immature, a level two of the cyber framework, and configuration management continues to be a problem.

“For example, during this year’s review the compliance rate with NASA security baselines averaged 79 percent for Windows devices. However, for Windows servers — considered a higher risk because they provide services to other computer devices over a network — the compliance rate for implementation of secure configuration settings dropped to 49 percent,” the report states.

The Office of Management and Budget’s most recent cyber scorecard under the President’s Management Agenda shows NASA struggling with hardware and software asset management. The space agency is doing well with authorization management, meaning critical systems have an authority to operate, and mobile device management.

And finally, the latest Federal IT Acquisition Reform Act (FITARA) scorecard said NASA earned a “F” grade under the FISMA section for meeting only two of the four cross-agency priority goals. Overall, NASA received a B+ under FITARA.

All of these struggles continued after NASA put its main end-user network and systems at risk because of unpatched systems in 2016. At one point, NASA CIO Renee Wynn took the unusual step of not signing system authorizations because of the lack of basic cyber hygiene on the systems.

“NASA takes cybersecurity very seriously and is committed to devoting the necessary resources to ensure the security of agency information and IT systems,” the spokeswoman said. “The agency is continuing its efforts to secure all servers, and is reviewing its processes and procedures to ensure the latest security practices are followed throughout the agency.”

Source

Bill Marion, deputy CIO, U.S. Air Force

The Air Force is about to join the still-small group of federal agencies who’ve found ways to dramatically accelerate the process of granting cybersecurity approvals for IT systems.

The Authority to Operate (ATO) process, a paperwork gauntlet that routinely consumes months of time before new systems are allowed to be connected to government networks, is a requirement of the Federal Information Security Management Act. FISMA tells CIOs they must know and accept the security risks each system carries with it.

But there’s no particular reason the system can’t work much more quickly, said Bill Marion, the Air Force’s deputy CIO. Service officials are expected to sign off on a new “fast-track” ATO policy within a matter of days, he said.

“We fundamentally believe this is going to help us bring capability faster,” he said last week at AFCEA NoVA’s annual Air Force IT Day. “It will bring us software modernization at a faster clip, but also provide better security.”

Marion said the new policy won’t be appropriate for every IT system, but in some ways, it will turn the traditional ATO process on its head. Rather than assessing every single system against the entire catalog of NIST security controls, the goal is to make intelligent decisions about which of those assessments really need to be performed at all for a particular system.

He offered an example: If the Army has already gone through the Risk Management Framework (RMF) and deployed a system the Air Force wants to use, does the Air Force really need to put itself through every one of those same painful paces?

“What do I think I’m going to find in that whole other 900 controls in RMF that we didn’t already flush out when we put that system in a hardened cloud computing center and put it through penetration tests? What do we expect to find, and is the juice worth the squeeze? Part of this is getting the decision in front of the approving official sooner, to then determine what parts of the RMF you even need to go through,” he said. “In some cases it may be very, very short. In some cases it may be truncated by a third, or half. It’s a fundamental retooling, but we are in a different world in how we’re managing risk.”

Streamlining approval process

One reason the Air Force may feel comfortable with less quadruple-checking of those security controls on the front-end is that it’s become increasingly confident that it can spot and fix genuine cybersecurity problems after a given system is deployed.

In early 2017, it deployed a commercial tool developed by Tanium which lets Air Force cyber defenders scan the service’s entire network within a matter of minutes and automatically patch any security holes they find in real-time.

Officials ordered that the tool, which the Air Force calls Automated Remediation and Discovery (ARAD), be deployed on virtually all of its IT systems by May of 2017. Any systems that couldn’t employ the tool for one reason or another were deemed “high risk.”

The timing was fortuitous. The WannaCry ransomware attack struck computers across the globe that same month. But because of ARAD, the Air Force managed to effectively immunize its entire network from the malware in less than an hour, Marion said.

“That was game changing for us,” he said. “We had never done that before in our history. While we had been pretty fast, it typically took days or weeks to re-mediate something of that magnitude. And we did it at scale across the Air Force in 41 minutes.  We have to be able to act when something happens. This belief in defense-in-depth and network-perimeter-only security, I would argue, is a failing one in this globally connected world.”

Aside from the new availability of the ARAD tool, Marion said the Air Force’s move to the new, faster ATO process will be guided by two other major factors.

Understanding risk, benefits

Authorizing officials will need to see demonstrable evidence that any new system adheres to basic cyber hygiene, and at least some of those systems will be subjected to a new generation of penetration tests once they’re up and running, including the “bug bounties” that are becoming increasingly pervasive across government.

“I liken it to the USDA meat inspection process,” Marion said. “We don’t inspect every piece of meat, but every piece of meat could kill you. So we inspect and we review and we check our processes to make sure that bad things aren’t creeping their way back into the system. We’re finishing Hack the Air Force 3.0 right now, but we’ve got a whole series of pen tests and bug bounties planned for fiscal year 19, and they’re funded.”

It’s not yet clear how long the revamped ATO process will take, but Kessel Run, the Air Force’s new agile software development office, has been working on a “continuous ATO” model it calls “ATO in a day.”

“So this is the new world order: Make sure you’ve got a basic level of hygiene coming into the mix – that’s the price of entry – bringing the sensors and remediation tools that sit on top, and then bringing a bug bounty pen testing process,” he said.

Similar concepts have been proven out in other federal agencies, including at the National Geospatial Intelligence Agency, which used the same terminology when it began working on its own speedier security approval process.

NGA has managed to get the process down to three days.

“We are continuing to build the telemetry necessary, the business rules, the promotion path for code committed to our dev/ops pipeline and to promote that as quickly as possible to operational,” Matt Conner, the agency’s chief information security officer said in an August interview with Federal News Network. “We still haven’t realized the one-day ATO, but it’s out there.”

Read more of the DoD Reporter’s Notebook.

Source

Catalogue Provides Enhanced Visibility into Cybersecurity Threats   

Frisco, TX., November 1, 2018 – HITRUST, a leading security and privacy standards development and certification organization, is releasing its Threat Catalogue to provide organizations with greater visibility into the threats and risks targeting their information, assets and operations.

In addition to helping organizations understand the threats targeting their organization and their associated risks, the Threat Catalogue also identifies the specific technical, physical and administrative controls needed to address these risks. This improves an organization’s visibility into how it manages threats and better enables management to prioritize security programs and align budgets and resources.

Join our webinar on November 29, 2018 to learn more about the HITRUST Threat Catalogue.  Click here to register. 

Identifying threats is a major component of a comprehensive risk analysis process for any organization seeking to protect their sensitive data. Following an asset inventory, information classification, and system categorization, the threat identification process helps determine what adverse events are relevant to the organization and must be controlled. For example, the increased frequency of ransomware intrusions required organizations – of all types and sizes – to re-examine their controls around data backup and restoration and ensure they could successfully recover their data if such an attack occurred.

“Unfortunately, a comprehensive threat list that could support risk analysis and help organizations better understand and mitigate threats to sensitive information was essentially unavailable,” says Dr. Bryan Cline, vice president of standards and analytics at HITRUST. “Given its significance to the risk management process, we invested years identifying a complete set of threats at a level consistent with the controls used to address them.”

The HITRUST Threat Catalogue will be available free of charge and becomes an integral part of HITRUST’s risk management and compliance suite. It will help organizations ease the burden of analyzing and managing security and privacy risk by mapping these threats directly to the controls in the HITRUST CSF® framework. By ensuring organizations can identify threats to their sensitive information, assets and operations, they can prioritize and focus on specific controls that are relevant to them, and in turn, reduce risk.

The Threat Catalogue will also be used to help ensure the HITRUST CSF remains current and relevant to the changing environment by linking requirements to active threat intelligence. A thorough understanding of how well the CSF controls address existing and emerging threats will help HITRUST identify new control requirements or enhancements to requirements that may be needed to further mitigate associated risk.

In addition to mapping specific threats to controls used to limit organization’s exposure to risk, the catalogue also provides mappings to less comprehensive threat lists from other respected frameworks, such as the National Institute of Standards and Technology (NIST) Special Publication 800-30 and the European Network and Information Security Agency (ENISA) Threat Taxonomy.

HITRUST will update the Threat Catalogue regularly alongside the market-leading HITRUST CSF. This early release of the HITRUST Threat Catalogue allows public and private sector organizations to provide feedback prior to the document’s general release.

Interested parties are encouraged to download and review the catalogue after its release on Thursday, November 1st and submit comments by Monday, December 31st, 2018.

Click here to register for the HITRUST webinar on Thursday, November 29th discussing the benefits of the Threat Catalogue.

HITRUST Risk Management and Compliance Suite

Designed to leverage and integrate the best-in-class components for a comprehensive information risk management and compliance program – including a robust privacy and security framework, a scalable and transparent assurance program, catalogue of threats, shared security control responsibility assignment and assurance, an assessment and corrective action plan management platform, a third-party risk management process, and an assessment exchange. The HITRUST Suite offers organizations an integrated, updated and supported approach for information risk management and compliance which includes the following HITRUST programs and services – HITRUST CSF®, HITRUST CSF Assurance, HITRUST Assessor Program, HITRUST Threat Catalogue®, HITRUST Shared Responsibility Program, HITRUST MyCSF®, HITRUST Third Party Assurance Program and the HITRUST Assessment XChange.

Click here to read the press release.

The post HITRUST® Releases Threat Catalogue to Improve Risk Management appeared first on HITRUST.

Source

To listen to the Federal Newscast on your phone or mobile device, subscribe on PodcastOne or Apple Podcasts. The best listening experience on desktop can be found using Chrome, Firefox or Safari.

  • The Office of Personnel Management is changing regulations on direct hire authority. A proposed rule would give agency heads the task of issuing direct hire authorities to address recruiting challenges rather than OPM. The president’s executive order on chief information officers required OPM to propose new regulations on direct-hire authority. (Federal Register)
  • Postal employees received thanks for working to help find a suspect charged with allegedly sending 14 explosive devices through the mail. Gary Barksdale, deputy chief inspector of the Postal Inspection Service, thanked postal employees for serving as the law enforcement agency’s “eyes and ears” last week. FBI Director Chris Wray said his agency identified the suspect through a fingerprint on an envelope addressed to Rep. Maxine Waters (D-Calif.). The FBI also found DNA evidence on two additional packages containing explosives. (Federal News Network)
  • The Pentagon is creating one budget request for fiscal 2020 at $700 billion and another one at $733 billion. Deputy Secretary of Defense Pat Shanahan said the Defense Department had been working on the larger budget proposal for much of the past year. But made the smaller one after President Donald Trump asked all agencies to cut their requests by 5 percent. Shanahan said to get to that smaller number, the Pentagon will have to make some touch decisions about which investments in the research and development and acquisition areas are most important.
  • IBM became the latest government contractor to jump head first into a mega acquisition. Big Blue announced Sunday it is buying Red Hat for $34 billion in an all-cash deal. Red Hat provides open source enterprise software. IBM and Red Hat have partnered over the past 20 years, including more recently on open source cloud software. IBM said it will remain committed to Red Hat’s open governance, open source contributions and participation in the open source community and development model. (IBM)
  • A former Veterans Affairs employee pleaded guilty to taking bribes from three for profit schools in exchange for encouraging disabled veterans to enroll in those schools. The Department of Justice said James King admitted to demanding and taking cash to steer veterans to the schools. At the time, King was working as a program counselor for VA’s Vocational Rehabilitation and Employment program. DOJ said King facilitated almost $2.5 million in VA payments to the schools. Three people from the schools themselves also pleaded guilty to bribing King. (Department of Justice
  • The Office of Management and Budget set new cyber deadlines for agencies to reduce their risk profiles. Agencies have less than two years to move to a shared service for their security operations centers. In the 2019 Federal Information Security Management Act guidance released last week, OMB said agencies must develop and submit one enterprise-level cybersecurity operations maturation plan to OMB and DHS by April 2019. Then, by Sept. 30, 2020, they must migrate to a matured, consolidated and/or shared security operations center-as-a-service offering. Also in the FISMA guidance, OMB said agencies must implement a threat intelligence capability to identify deficiencies in their security defenses. (White House)
  • It’s going to take the Agriculture Department a little longer to transition to the Enterprise Infrastructure Solutions telecommunications contract. USDA’s Director of Enterprise Network Services said it will miss the May 2020 deadline as there isn’t enough time to reduce 14 unique infrastructures down to one. Meanwhile, the Department of Housing and Urban Development said its timetable is too close to call. But both departments are pushing forward, and intend to release requests for proposals next month. (Federal News Network)
  • State Department embassy construction is way behind schedule. Auditors found the agency won’t meet even half of its goal of 180 new, more secure embassies by the end of 2018. It’s only got 77 so far. The effort started during the Clinton administration, when a series of bombings prompted a long-term effort to replace buildings throughout the world. But the Government Accountability Office found staff shortages have slowed the effort, as well as poor collaboration with contractors. (Government Accountability Office)
  • OPM and the Equal Employment Opportunity Commission want to remind agencies of the resources they have to help employees self-identify disabilities and other conditions. Updates to the Rehabilitation Act require agencies to target a 12 percent participation rate for employees with disabilities. OPM acting Director Margaret Weichert and EEOC Commissioner Victoria Lipnic said agencies have several resources to help them meet those goals. (Chief Human Capital Officers Council)

Source