Cyber Security and Information Systems Information Analysis Center
The use of manual methods to monitor system controls has essentially become impractical due to the growing number of applicable controls and the increasing frequency at which they are to be evaluated (for the RMF’s near real-time risk assessment). Instead, the NIST guidance strongly suggests that automation be used, to the extent possible, to generate, c Read More
This webinar will cover the realities of the Enterprise Mission Assurance Support Service (eMASS): what works well, what does not work, and how to best make it work for you. We will discuss how to categorize your system, select applicable controls, and leverage eMASS to assist in this process. Two specific topics that will be covered are how inheritance Read More
The NISTIR 8011 volumes focus on each individual information security capability, adding tangible detail to the more general overview given in NISTIR 8011 Volume 1, and providing a template for transition to a detailed, NIST standards-compliant automated assessment. This document, Volume 2 of NISTIR 8011, addresses the Hardware Asset Management Read More
This volume introduces concepts to support automated assessment of most of the security controls in NIST Special Publication (SP) 800-53. Referencing SP 800-53A, the controls are divided into more granular parts (determination statements) to be assessed. The parts of the control assessed by each determination statement are called control items. The control Read More
Abstract: For military networks and systems, the cyber domain is ever-increasingly contested and congested space. Defenders of these systems must fight through adversary action in complex tactical and strategic environments. Just now completing its third year, the Cyber-Security Collaborative Research Alliance has sought to develop approaches for Read More
This article describes the challenges and solutions for Security Authorization in a cloud based services environment. We describe Compliance as a Service (CaaS) that supports various service models as well as the deployment models in cloud-based environment. This makes the solution elastic, metered and cost effective, all characteristics of a cloud based Read More
Effective Integration of Cybersecurity into the DoD Acquisition Lifecycle encompasses several different processes: DoDI 5000.02 - Operation of the Defense Acquisition System DoDI 8510.01 - Risk Management Framework (RMF) for DoD Information Technology (IT) Cybersecurity Test and Evaluation Program Protection System Security Engineering Read More
Our discussion of technical best practices for the software development of safety-critical (SC) systems has four parts. First, we set the context by addressing the questions "What are SC systems and why is their development challenging?" The eight technical best practices for SC systems follow. We then briefly address how an organization can prepare for and Read More
A search at your favorite news aggregator for keywords such as “malware,” “computer virus,” or “data breach” will return results in the tens of thousands. For most organizations it’s not a question of if a cyber attack will occur, but when. And when an attack happens, the tempo of response must be fast, so an organization must already have practices in place Read More
This article describes several cybersecurity innovations. First, it proposes to integrate behavioral economics’ findings of biases in judgment and decision-making into cyber strategies, policies, and guidance using a new framework called Behavioral Economics of Cybersecurity, or BEC. Second, it aligns BEC with NIST’s Risk Management Framework by treating per Read More
