Updating the NIST Risk Management Framework for Information Systems

The U.S. National Institutes of Standards and Technology (NIST) is taking public comments on its major risk management publication (SP 800-37) for information systems.  This document provides guidelines for applying the NIST Risk Management Framework (RMF) to information systems and organizations.

The RMF includes a disciplined, structured, and flexible process for organizational asset valuation; control selection, implementation, and assessment; system and common control authorizations; and continuous monitoring. It also includes activities to help prepare organizations to execute the RMF at the information system level. The RMF promotes the concept of near real-time risk management and ongoing system and common control authorization through the implementation of continuous monitoring processes; provides senior leaders and executives with the necessary information to make efficient, cost-effective, risk management decisions about the systems supporting their missions and business functions; and integrates security and privacy into the system development life cycle.  Use of the NIST RMF is mandated for federal information systems by the Federal Information Security Management Act (FISMA).

Comments are due by June 22nd.

Cybersecurity of DOD Critical Infrastructure Webinar, April 25th

The Cyber Security and Information Systems Information Analysis Center (CSIAC) will host a webinar on the cybersecurity of Department of Defense Critical Infrastructure on April 25 @ 12:00 pm EDT.

The presenter will be Dr. Paul Losiewicz, Senior Scientific Advisor at Quanterion Solutions Incorporated and the Cybersecurity and Information Systems Information Analysis Center (CSIAC).

The webinar will cover DoD policy concerns and current R&D efforts in the field of cybersecurity & critical infrastructure protection.  Topics will include Weasel Board being developed at Sandia National Laboratory, More Situational Awareness for Industrial Control Systems (MOSAICS), sponsored by PACOM and NORTHCOM, and recent policy concerns relating to cyber security and Utilities Privatization of Critical Infrastructure. This webinar will also report the results of a panel discussion from the DHS Joint Industrial Control Systems Working Group (JICSWG) meeting April 9-11 at Albuquerque NM.

To register please go to:  Cybersecurity of DoD Critical Infrastructure


NIST Seeking Technology Vendors for Energy Asset Management Model Use Case


The National Institute of Standards and Technology (NIST) Cybersecurity Center of Excellence (NCCoE) is proposing a model use case project to enhance the energy sector’s asset management capabilities for operational technology (OT).  Arch Street is currently a member of the NCCoE Energy Sector Community of Interest that provides guidance to NCCoE on energy sector cybersecurity challenges.

The objective of this use case is to provide guidance on how energy companies may enhance OT (Operational Technology)/ICS (Industrial Controls System) asset management by leveraging capabilities that may already exist in an operating environment or by implementing new ones.

The new NIST project will include the development of a reference design and use commercially available technologies to develop an example solution that will help energy organizations address the security challenges of OT asset management.

This project will describe methods for managing, monitoring, and baselining assets and will also include information to help identify threats to OT assets. It will result in a publicly available NIST Cybersecurity Practice Guide, a detailed implementation guide of the practical steps required to implement a cybersecurity reference design that addresses this challenge.

Technology vendors are encouraged to provide products and technical expertise to NIST via a CRADA to support and demonstrate security platforms for the Energy Sector Asset Management Project.  Applications are open on a first-come, first-served basis.  For more information see the announcement in the Federal Register released today, March 26, 2018.

FY 2018 Omnibus Appropriations Introduced in Congress


After a long saga, the FY 2018 Omnibus Appropriations is out.

For full text of the various sections see the Consolidated Appropriations Act, 2018

One area of interest for Arch Street is funding for cybersecurity R&D and technology transfer activities in the Department of Homeland Security Science and Technology Directorate.  Earlier budgets had proposed major cuts to these programs but at first glance, funding has been boosted and language prioritizing technology transfer and partnership intermediaries included.

More to come.

Full text of the DHS S&T appropriations (pdf)

DHS S&T Issues New Cybersecurity Research and Technology Guides

dhs-logo        IgniteU

Arch Street is pleased to work with IgniteU-NY, a partnership intermediary of Department of Homeland Security (DHS) Science and Technology Directorate (S&T).  In this role we help S&T bring leading-edge technologies flowing from government and university laboratories to the commercial marketplace — to better protect the critical infrastructure of the United States such as the energy grid, water systems and transportation networks.

That is why Arch Street is excited to see that DHS has released two new guides focused on transitioning mature cybersecurity solutions and spurring community discussion about its R&D priorities.

The two publications are the 2018 Cyber Security Division Portfolio Guide and the 2018 Cyber Security Division Technology Guide. These informational guides outline the scope of the S&T’s broad cybersecurity research portfolio and provide insight into numerous R&D efforts that are at or nearing the transition phase, respectively. Each is available for free download from the S&T website.

OMB Publishes Training Modules for Managing Federal Grants

The Office of Management and Budget (OMB) initially developed the Grants 101 Training for federal government employees, but now these eLearning materials are available free to the public.

This grants training is comprised of five modules, most of which contain multiple online lessons:

1 Laws, Regulations, and Guidance

2 Financial Assistance Mechanisms

3 Uniform Guidance Administrative Requirements

4 Cost Principles

5 Risk Management and Single Audit

See: blog.grants.gov/2018/02/01/omb-publishes-free-online-grants-management-training/

NIST to Host Workshop on Resilience of the Internet and Communications Ecosystem 


NCCOE logo

This workshop at the National Cybersecurity Center of Excellence in Rockville, MD is open to the public and will center on a draft report about actions to address automated and distributed threats to the digital ecosystem as part of the activity directed by Executive Order 13800, “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.”

See: Enhancing Resilience of the Internet and Communications Ecosystem (Second Workshop) | NCCoE