This revision is a result of two years of concerted collaboration, including working with the CIO Council to craft the new privacy controls. The revisions aim to address potential gaps in coverage, add new security controls and control enhancements, and provide much needed additional supplemental guidance. The tailoring guidance, coupled with overlays, make it straightforward for IT enterprises to create security plans and policies.

The new privacy controls focus on privacy – as being distinct from, but interrelated with, security — and provides a structured set of controls that specifically address compliance with privacy requirements. This is good for the market because it provides a structured approach to meet those requirements. Further, it also provides controls that help verify compliance with privacy requirements and provides reassurance on what that the market needs in order to transact business with an improved level of confidence.

The new tailoring guidance allows organizations to align the controls more closely with their environment’s specific conditions. Organizations now have the flexibility to perform the tailoring process at the organization level, mission/business process level, the individual information system level, or by using a combination of those. This new guidance enables organizations to use the tailoring process to achieve cost-effective, risk-based security that supports organizational business needs.

The introduction of the concept of overlays, a fully-specified set of security controls, control enhancements and supplemental guidance, allows IT enterprises to simplify development of security plans. In essence, overlays are intended to reduce the need for customized guidelines. They bring an opportunity to build consensus among enterprises’ various departments by enabling increased collaboration, resulting in operational efficiencies.

The basics of cybersecurity don’t change over time, but SP 800-53 re-frames how to apply security controls for new threats. Threats have changed considerably since NIST released SP 800-53 rev 3 and the newly-introduced controls draw heavily from actual attack reporting data from agencies. NIST SP 800-53 rev 4 guides enterprises in building stronger, resilient IT systems with sufficient security capability to protect core missions. As industry implements the new controls, improvements in secured computing will lead to heightened confidence in our inter-connected ecosystem creating an opportunity for resellers and contractors that are knowledgeable about the revised publication to lead the Federal community into the next stage of secured computing.

NetApp Promise BYOD Security Without Using the Cloud

In February, NetApp purchased ionGrid, a company that focused on secure data access for mobile devices. Last week, NetApp announced that they will soon be introducing bring-your-own-device (BYOD) security without using the cloud. The product, NetApp Connects, will allow users to download, edit, and share files, be integrated with the Data Ontap operating system, and will authenticate users through mobile devices. Search Storage has the breakdown.

Survey Highlights FDCCI Uncertainty

The recent “FDCCI Big Squeeze” report, sponsored by NetApp, highlights the uncertainty around the Federal Data Center Consolidation Initiative (FSCCI), which stipulates that by 2015, 1,200 government data centers will close. The report came a day before a recent hearing on the FSCCI’s progress amid growing concerns. According to NetApp’s president for US Public Sector, Mark Weber, “The immediate takeaways from the survey suggest the FDCCI leaves a lot to be desired.” Read this recap for more analysis.

To Tap Big Data, Federal IT Must Partner with Tech Industry

A panel of experts at the FOSE government IT conference agreed: the federal government must develop deeper partnerships with private sector IT companies. Federal CIOs face mounting Big Data challenges, and need an answer to their growing IT problems. President Obama has touched on Big Data, recently releasing an executive order on the subject, yet core issue pertain, including: cybersecurity, analyzing data the size agencies are collecting, finding cost-effective storage solutions, and justifying the costs of Big Data. CIO has a review of the panel, with suggestions.

Government to Share Cybersecurity Information with Private Sector

For the first time, the government will use classified cybersecurity information to help protect companies. The records will involve known software vulnerabilities that can help companies mitigate potential attacks. Secretary of Homeland Security Janet Napolitano also said the government is developing a system to scan internet traffic to identify potential attacks. Insurance Journal has the report.

A Successful Private Cloud Migration Starts with Data and Apps

An organization debating whether to use a private or public cloud tends to do so without focusing on the question: Which platform is right for the job. In an Info World article from last week, David Linthicum tries to separate the “group-think” from the actual nuts and bolts of deciding how to successfully migrate to the cloud – whether private or public.

Here are some simple checks, recommended by IMAGINiT Technologies, that you can follow to determine whether you’re getting the most out of your investment in BIM:

1. Are your designers asking questions about how your drawings should look or are you seeing inconsistencies in printed drawings?

What about the informational content of your models, whether its line styles, family libraries or agency standards? If you are seeing inconsistencies in any of these areas then you may need to focus on developing good design standards.

2. Do you have to export drawings into AutoCAD in order to share them with other team members?

Then that’s a sure sign that you have a model sharing problem. These types of unproductive workarounds can lead to sequential development instead of parallel development – one of BIM’s main efficiency benefits. Even worse, by not practicing true model sharing you’ll likely face a lack of coordination and costly errors during the construction stage.

3. Are your file sizes excessively large?

This is a potential sign that designers are not using the software properly. They may be incorrectly embedding CAD information or over-modeling objects because limits have not been set on what information they need to include – this can result in poor software performance and reduced productivity.

If you are experiencing any of these three symptoms then you may be headed for an unhealthy BIM diagnosis!

Not sure what to do about it? Well, IMAGINiT recently launched a new “Revit Health Check” service designed to help BIM teams successfully implement a BIM strategy. The service includes an assessment of how teams are using Revit, identifies inefficiencies and proficiency gaps. IMAGINiT experts will also analyze select Revit project files and related documents to uncover issues related to model optimization, collaborative workflows, software performance, information quality, and more. At the end of this investigative period, you’ll receive actionable advice that you can implement immediately, together with lower priority recommendations for future consideration.

For more information, contact the IMAGINiT location nearest to you. You can also contact DLT Solutions, Autodesk’s Master Government Reseller. For more about our Revit Health Check offering, visitimaginit.com/RevitHealthCheck or watch this brief video overview.

Image courtesy of CSIGS.com.au

The Challenge behind FOIA Requests

Government agencies have provided information to public and private citizens through FOIA since 1966.  When a request is received, agencies must search through multiple systems with varying types of data, including traditional Word documents, spreadsheets, video, audio, email, and more, in order to locate the required information. Once the data is located, it is then sent to the agency’s legal counsel to ensure accuracy and removal of any classified or personal information.  The entire process can take anywhere from a single day to several months depending on the complexity of the request. Agencies must also follow-up with anyone connected to the request to ensure they have been provided with all the required data. Add in processing multiple FOIA requests concurrently, and this lengthy and labor intensive process can lead to serious backlogs.  According to a 2011 FOIA report, 644,165 FOIA requests were made in 2011 and of those requests, 83,490 were backlogged.

As budgets for government agencies continue to shrink, it will grow increasingly difficult to keep up with incoming requests.

The Solution:  Locate and Gather Data in Less Time

With the right technology, agencies can locate and assemble documents for FOIA requests more efficiently and effectively. The Google Search Appliance connects to any data source, such as SharePoint, SQL, and Oracle databases, and Lotus Domino and Apache servers, to search files quickly.  Users can type a phrase or words associated with the FOIA request and the Google Search Appliance will immediately begin compiling data that contains the information in the query.  The Google Search Appliance can search over 250 of the most common file formats, and even crawls through geospatial databases, withdrawing data in minutes.

Once all data has been located, the Google Search Appliance compiles the information into a single PDF, making it easier to review.  The Google Search Appliance can be customized for a particular agency’s needs, including setting up parameters for the system to identify documents that meet FOIA exemptions and easily redact sensitive information.

Google Search Appliance is simple to install and features dynamic navigation, filter options, and local administration.  It is also fully compatible with existing security systems, ensuring data security is not compromised.

Having the power to access all sources of data in your agency in one search eliminates the hassle of having to contact every individual involved with the topic of the FOIA request, thus streamlining government workflow and saving agencies time and money.

Interested in learning more? Check out these great Google Search Appliance resources:

• Using Google Search Appliance for Database Searches (webcast)
• Google Search for the Public Sector (whitepaper)

Obama Orders Agencies to Make Data Open, Machine-Readable

On Thursday, President Obama made “open and machine-readable” data formats a requirement for all new government IT systems, including those being updated. This effort is an extension of President Obama’s earlier efforts, including Data.gov, to create greater transparency and innovation through technology. ARS Technica has the summary.

Fixing Flaws in Federal Government IT Security

Karen Evans, the government’s former top IT officer, and Franklin Reeder, a onetime top executive in the White House Office of Management and Budget, recently wrote a paper called, “Measuring What Matters: Reducing Risk by Rethinking How We Evaluate Cybersecurity.” GovInfo Security has an interview with them about their paper that covers: How their approach differs from FISMA; and why audits deal with compliance, and not cybersecurity.

Hearing Set to Probe Data Center Progress

The House Oversight and Government Reform Committee’s Government Operations Subcommittee has scheduled a field hearing to review the Federal Data Center Consolidation Initiative’s progress. Under the watch of the Office of Management and Budget (and a collective from 24 agencies), around 1,200 of an estimated 2,900 government data centers is to be closed or consolidated by 2015. The hearing will center on a new Government Accountability Office report. FCW postulates about the potential topics for review.

Amazon Web Services Leading Cloud Infrastructure-as-a-Service App Development

Using the Magic Quadrant for Cloud Infrastructure as a Service, 2012 as the baseline, Forbes showed that Amazon Web Services (AWS) was “57.1% of inquiry share worldwide for application development during the 4^th quarter of 2012.” AWS even gained 10% inquiry compared to other vendors from 2011 to 2012. Read Forbes’ full story here.

Driving Better Governance with Open Source

Open Source, once thought of as a hobby and too unsecure for government use, has become a staple of government IT. Future Gov has an interview with Red Hat’s Vice President for Corporate Affairs & Global Public Publicity, Mark Bohannon, about this change. “Owing not only to the benefits of the technology, but also to the benefits of the collaborative innovation model, Open Source software has by any measure become mainstream and vital to enterprise and government IT architecture,” he said.

The Fully-Secure Quantum Internet System

Ever imagine a perfectly secure internet, absent of hackers and cyberattacks? The Los Alamos National Labs may have made it into a reality. The “quantum internet system” works by utilizing hub servers instead of computer-to-computer networks. Quantum cryptology changes the message once it’s observed, ensuring safe digital communications. Wired has the scoop.

This year’s Midyear Conference was held in April in Washington D.C. and was attended by about 500 state CIOs, CIO staff members, and corporate sponsors. The event is usually rich with panels on topics of keen interest to members and presentations by Federal Government officials, and this year was no exception. State CIOs are as concerned about cybersecurity threats as their Federal Government counterparts. This topic was a special focus at this year’s conference. State CIOs are gaining support from elected officials who are beginning to see successful cyberattacks as not only a technical problem but also a political problem. Constituents are becoming more aware of information security issues and are demanding that stronger and more effective measures are taken to protect their personal information.

A panel of security officers and/or CIOs from Texas, Georgia, Michigan and Nevada addressed the topic of cybersecurity governance, compliance and collaboration. The panel discussed the importance of establishing proactive versus reactive approaches to meeting the challenge of information security and shared ideas about how to solve both organizational and technical issues through inter-organizational collaboration and development of a risk management plan appropriate to each state and agency. A key point was that the cost of mitigating damage after the fact was exponentially greater than the cost to prevent damage before an attack.

Jim Lewis, senior fellow and director of the Technology and Public Policy Program at the Center for Strategic and International Studies (CSIS), made a presentation on cybersecurity that highlighted national level issues. He spoke in detail about the threat posed by bad actors based in China, Iran, and Russia and the difficulty in bringing pressure on the governments in these countries to eliminate threats. Mr. Lewis also discussed the various Administration and legislative initiatives (e.g., the Executive Order on Improving Critical Infrastructure Cybersecurity, the Cyber Intelligence Sharing and Protection Act (CISPA)) and the difficulty and time required to gain the necessary consensus and momentum needed to effectively implement these measures. The message to NASCIO listeners was to work out simple, high-payoff risk management strategies and implement them rather than delaying for guidance on comprehensive approaches that might be two or three years in coming. He specifically called out application whitelisting, patch management, restricting administrative access to a minimum of staff, and implementing continuous monitoring as four measures that would reduce a high percentage of the most common risks.

Andy Ozment, Senior Director for Cybersecurity at the White House, addressed the President’s Executive Order to improve critical infrastructure cybersecurity and spoke directly to the state CIOs interests as the “owners” of much of the country’s critical infrastructure. These assets include power plants and the electricity grid, water pumping/distribution systems, food supply chain assets and similar critical infrastructure elements that comprise the nation’s infrastructure. He pointed out that the states own much of the critical information technology that is used to deliver Federal program benefits and that these IT resources were also deemed to be critical infrastructure in the context of the Executive Order. Mr. Ozment discussed the practical issues with respect to information sharing and warned the state CIOs that the Federal Government would not be able to share threat information that compromised intelligence sources and methods. In other words, information sharing about threats may at times appear to be a one-way exercise.

Mr. Ozment said that, with respect to critical infrastructure cybersecurity, one of the defining moments for the Administration was last year’s successful attack on Saudi Aramco information technology assets by a foreign government that resulted in the destruction of over 30,000 computer hard drives and operating systems. That was a wake-up call.

There’s a method in which all is data;

There’s nothing here of procedure;

Whatever is abstracted, has abstracted-

There’s a class that expresses only interface;

There’s a machine paradigm that instantiates object properties;

There’s nothing distant anymore;

Algorithm who’s componentized, has OpenAPI-

That which is speed, will go on being WildFly;

There’s a speed in the time dimension;

There’s a speed in which applications perform-

There’s a standard which modularizes peers;

There’s a container that doesn’t pause garbage collection;

Application simplify decision making sorting.

NIST Releases New Security Controls

The National Institute of Standards and Technology (NIST) recently released an update to their guiding controls special publication – Security and Privacy Controls for Federal Information Systems and Organizations. Two years in the making, the new version includes features a new emphasis on assurance and a persist focus on continuous monitoring. GovInfoSecurity has the recap and an interview with NIST’s Ron Ross, the project leader. They also have an interview with NIST’s Donna Dodson – 240 Ideas to Secure Critical IT.

State & Local Governments Collecting Data, Not Analyzing

A recent MeriTalk report found that although state and local governments are collecting data, 41% of agencies are not analyzing it – a phenomenon called the “Big Data Gap.” The major challenges facing Big Data analysis at the state and local level are storage capacity, speed of analysis and processing, and analysis. Problems are further complicated because agencies are unclear about who owns the data.

Zero-Day Explorer Hack Targets Nuclear Weapons Researchers

Cyberattackers targeted employees of the Dept. of Energy through a zero-day exploit in Microsoft Internet Explorer. Researchers believe the hackers were specifically looking to break into files involved with nuclear weapons research. Arstechnica has a full breakdown.

Officials Preparing for More Mobile Government

Steven VanRoekel, federal chief information officer, wants to create government-on-the-go. Over the last year, Steven’s team has issued reports filled with strategies and milestones to facilitate a shift toward mobility. But this transformation isn’t just being driven from above. Many government employees, including those in the military, are demanding the use of personal mobile devices on the job. The Washington Post has a great write-up about the challenges, and Symantec, a DLT partner, has solutions.

DLT in the News

DLT Solutions was recently named North American Partner of the Year for Google Maps for Business. You’ll find the press release here.

Here’s a quick recap and taste of what you’ll gain from registering for GovDefenders On-Demand:

1. Eight educations breakout sessions:

• Symantec Data Insight: How to Track Billions of Files from Millions of Systems to Identify New Threats with John Dodds of Symantec
• Red Hat Open Source Security: Defense in Depth with Mark St. Laurent and Shawn Wells of Red Hat
• Making the GRC Grade: How to Realize Continuous Monitoring and Compliance with Michael Mullins of ForeScout
• Packet Capture and Analysis with Dave Denson of NetApp
• Privileged Account Management: Managing Super Users with Brad Bussie of Dell Software
• Continuous Monitoring with Nicole Pauls of SolarWinds
• Extending Secure and Interoperable Government Services with Paul Laurent of Oracle
• Five Things You Need to Know About FedRAMP with Shamun Mahmud of DLT Solutions

2. Two keynotes:

• Security and Legal Issues in Cloud Adoption with John Nicholson, President of the DC Chapter of the Cloud Security Alliance
• Building the Next Generation of Cyber Defenders with Jim Wiggins, Founder and Executive Director of the Federal IT Security Institute

3. The Similarities and Differences Between On-Premise Enterprise Security and Public Cloud Security panel with Van Ristau, DLT Solutions Chief Technology Officer, and featuring:

• Scott Armstrong, Strategic Programs at Symantec
• Lee Vorthman, Cyber Practice Lead at NetApp
• David Blankenhorn, Chief Cloud Technologist at DLT Solutions

4. Over 100 cybersecurity resources including white papers, data sheets, and more videos from NetApp, Symantec, ForeScout, Oracle, Dell Software, Red Hat, SolarWinds, DLT Solutions, and GovDefenders

Whether you’re just beginning to explore cybersecurity or an expert, there’s new ideas to be found, new applications to discover, and new information to glean.

REGISTER NOW!

BONUS: Jim Wiggins’ keynote is now on YouTube!

But, you say, everyone else is using this best practice document published on the Internet by some authoritative sounding group, so Matt must be wrong again!

Well, when we were kids, we were told not to do something just because everyone else is doing it (unless you count this particularly insightful take by Randall).

The desire for a best practice document is to shortcut a painful learning experience with a configuration that works.  We know that the best practices probably aren’t best, but at least there’s a document that tells me what to do.  Some IT managers may not understand that concept, expecting the best practices are just that, best.  Without getting into a rant, ITIL is a framework and a guideline, not a proscribed daily regimen.  Every environment could do with a little tweaking for optimal performance.  But sometimes good enough is perfect.

What we want aren’t really best practices.  What we want are workable reference architectures that can be easily modified and better guides on how to install systems and applications.  Reference architectures usually aren’t part of the standard packaged documentation delivered with software.  If they exist, they are written by a separate group at a vendor, or perhaps a reseller, and may not tie back well to the standard docs.  And sometimes, they aren’t well written at all.

There’s a fundamental problem in software documentation, how do you present all the relevant materials while including all of the potential scenarios?  We’ve all experienced installation guides that give us no actual workflow for installing the product.  We started on one path, followed a tangent to another end, came back around to a third point before delving into some other special case.  Then we move on to the next button, option or widget.  At the end, we still have to cobble together the right sections to build the workflow, hoping we understood the key concepts.

Guides: Evaluation vs. Installation

One of the better sets of documentation I’ve read recently came from Red Hat around their virtualization platform.  Some smart folks decided that they needed to put together a guide that would assist customers in getting the tools running and start using them right away.  This evaluation guide is probably one of the best quick start guides I’ve seen.  How is this different from the installation guide?

Mainly, the evaluation guide sets out a workflow and only deals with those steps. The installation guide discusses all of the possible options at each step.  The installation guide does have a workflow laid down at the beginning and signposts at various points of the documentation, but even if you jump to a workflow section on installing the manager, we still get upgrade and uninstall details.  The evaluation guide’s only purpose is to get a working RHEV environment running so you can start test cases.

Now the evaluation guide is not the “be all, end all” of RHEV deployments.  It’s a workable but not necessarily high performance configuration.  Here we need to add a reference architecture that explores specifics of performance characteristics and hardware specifications.  Again referring to Red Hat’s Customer Portal, the Reference Architectures contain network diagrams, driver install guidelines, firewall rules, package additions, etc.  Combining the workflow specific framework of the evaluation guide with the detailed architecture of the Reference Architectures can get you to the desired state of “best practices”.

As we start looking at cloud environments, these sorts of cries for “tell me where to start” get louder.  Many of our old lessons don’t apply in this brave new world of abstracted resources and multiple availability zones.  There’s a new architecture paradigm to embrace and new rules of the road.  Amazon has started an “Architecture Center” to provide some overviews of how to use their tools. But even here, reference architectures and workflow based guides provide the same jumpstart as they do in traditional data center environments.  Best practices are going to provide the best of the mediocre.  Demand more.  Learn better.

Or is there something really wrong with the bridge?