The Department of Defense this week established a new Defense Security Enterprise that is intended to unify and standardize the Department's multiple, inconsistent security policies. The new security framework "shall provide an integrated, risk-managed structure to guide DSE policy implementation and investment decisions, and to provide a sound basis for oversight and evolution." The Defense Security Enterprise, launched October 1 by DoD Directive 5200.43, is a response to the often incoherent and internally contradictory state of DoD security policy. http://www.fas.org/irp/doddir/dod/d5200_43.pdf An Inspector General report earlier this year said that there were at least 43 distinct DoD policies on security that could not all be implemented together. "The sheer volume of security policies that are not coordinated or integrated makes it difficult for those at the field level to ensure consistent and comprehensive policy implementation," the DoD IG wrote. ("DoD Security Policy is Incoherent and Unmanageable, IG Says," Secrecy News, September 4, 2012.) http://www.fas.org/blog/secrecy/2012/09/dodig_security.html But under the new Defense Security Enterprise, "Standardized security processes shall be implemented, to the maximum extent possible and with appropriate provisions for unique missions and security environments," the DoD directive said. The new structure is supposed to "ensure that security policies and programs are designed and managed to improve standards of performance, economy, and efficiency." But the directive does not explain how to proceed if "performance, economy, and efficiency" prove to be incompatible objectives. Nor does it provide a working definition for the crucial concept of "risk management." This term, often contrasted with "risk avoidance," implies an increased tolerance for risk (i.e. risk of failure). But the practical meaning (or the limit) of this tolerance is nowhere made explicit. The Defense Security Enterprise will be managed by "a core of highly qualified security professionals," the DoD directive said. FUSION CENTERS FLAYED IN SENATE REPORT The state and local fusion centers supported by the Department of Homeland Security have produced little intelligence of value and have generated new concerns involving waste and abuse, according to an investigative report from the Senate Homeland Security Committee Permanent Subcommittee on Investigations. http://www.fas.org/irp/congress/2012_rpt/fusion.pdf "It's troubling that the very 'fusion' centers that were designed to share information in a post-9/11 world have become part of the problem. Instead of strengthening our counterterrorism efforts, they have too often wasted money and stepped on Americans' civil liberties," said Senator Tom Coburn, the ranking member of the Subcommittee who initiated the investigation. http://www.hsgac.senate.gov/subcommittees/investigations/ While it may not be the last word on the subject, the new Subcommittee report is a rare example of congressional oversight in the classical mode. It was performed by professional investigators over a two-year period. It encountered and overcame agency resistance and non-cooperation. And it uncovered -- and published -- significant new information that demands an executive branch response. That's the way the system is supposed to work. PUERTO RICO'S POLITICAL STATUS, AND MORE FROM CRS New and updated reports from the Congressional Research Service that have not been made available to the public include the following. Puerto Rico's Political Status and the 2012 Plebiscite: Background and Key Questions, October 2, 2012: http://www.fas.org/sgp/crs/row/R42765.pdf The Emergency Food and Shelter National Board Program and Homeless Assistance, October 5, 2012: http://www.fas.org/sgp/crs/homesec/R42766.pdf Federal Freight Policy: An Overview, October 2, 2012: http://www.fas.org/sgp/crs/misc/R42764.pdf The Peace Corps: Current Issues, updated October 2, 2012: http://www.fas.org/sgp/crs/misc/RS21168.pdf Chemical Facility Security: Issues and Options for the 112th Congress, updated October 2, 2012: http://www.fas.org/sgp/crs/homesec/R41642.pdf
Information Security and Privacy Advisory Board Meet
[FR Doc. 2012-23608 Filed 09/24/2012 at 8:45 am; Publication Date: 09/25/2012]
Billing Code 3510-13
DEPARTMENT OF COMMERCE
National Institute of Standards and Technology
Announcing an Open Meeting of the Information Security and Privacy Advisory Board
AGENCY: National Institute of Standards and Technology, Commerce
SUMMARY: The Information Security and Privacy Advisory Board (ISPAB) will meet Wednesday, October 10, 2012, from 8:00 A.M. until 5:00 P.M. Eastern Time, Thursday, October 11, 2012, from 8:00 A.M. until 5:00 P.M. Eastern Time, and Friday, October 12, 2012, from 8:00 A.M. until 12:00 P.M. Eastern Time. All sessions will be open to the public.
DATES: The meeting will be held on Wednesday, October 10, 2012, from 8:00 A.M. until
5:00 P.M. Eastern Time, Thursday, October 11, 2012, from 8:00 A.M. until 5:00 P.M. Eastern Time, and Friday, October 12, 2012, from 8:00 A.M. until 12:00 P.M. Eastern Time.
ADDRESS: The meeting will take place at the Courtyard Washington Embassy Row, General Scott Room, 1600 Rhode Island Avenue, N.W., Washington, DC, 20036.
FOR FURTHER INFORMATION CONTACT: Annie Sokol, Information Technology Laboratory, National Institute of Standards and Technology, 100 Bureau Drive, Stop 8930, Gaithersburg, MD 20899-8930, telephone: (301) 975-2006, or by email at: firstname.lastname@example.org.
SUPPLEMENTARY INFORMATION: Pursuant to the Federal Advisory Committee Act, as amended, 5 U.S.C. App., notice is hereby given that the Information Security and Privacy Advisory Board (ISPAB) will meet Wednesday, October 10, 2012, from 8:00 A.M. until 5:00 P.M. Eastern Time, Thursday, October 11, 2012, from 8:00 A.M. until 5:00 P.M. Eastern Time, and Friday, October 12, 2012, from 8:00 A.M. until 12:00 P.M. Eastern Time. All sessions will be open to the public. The ISPAB is authorized by 15 U.S.C. 278g-4, as amended, and advises the Secretary of Commerce, the Director of the Office of Management and Budget, and the Director of NIST on security and privacy issues pertaining to federal computer systems. Details regarding the ISPAB’s activities are available at http://csrc.nist.gov/groups/SMA/ispab/index.html
The agenda is expected to include the following items:
– Presentation relating to SP 800-53 Revision 4,- Panel discussion with members of the Office of Inspector General relating to NIST guidelines to advance security,
– Panel discussion on the latest development of FedRAMP,
– Panel discussion/updates on privacy and security risks for medical devices and the Government Accountability Office (GAO),
– Presentation on healthcare information technology security,
– Cybersecurity Updates from Director of Cybersecurity, White House,
– Presentation on Security, Privacy and Information Sharing,
– Discussion/presentation on information sharing, cyber and communications across federal agencies with the National Cybersecurity and Communications Integration Center (NCCIC, DHS) Director,
– Presentation/Discussion on Radios used by federal civilian agencies, and
– Update of NIST Computer Security Division.
Note that agenda items may change without notice because of possible unexpected schedule conflicts of presenters. The final agenda will be posted on the Web site indicated above.
Seating will be available for the public and media. No registration is required to attend this meeting.
Public Participation: The ISPAB agenda will include a period of time, not to exceed thirty minutes, for oral comments from the public (Friday, October 12, 2012, between 10:00 A.M. and 10:30 A.M.). Speakers will be selected on a first-come, first-served basis. Each speaker will be limited to five minutes. Questions from the public will not be considered during this period. Members of the public who are interested in speaking are requested to contact Annie Sokol at the contact information indicated in the FOR FURTHER INFORMATION CONTACT section of this notice.
Speakers who wish to expand upon their oral statements, those who had wished to speak but could not be accommodated on the agenda, and those who were unable to attend in person are invited to submit written statements. In addition, written statements are invited and may be submitted to the ISPAB at any time. All written statements should be directed to the ISPAB Secretariat, Information Technology Laboratory, 100 Bureau Drive, Stop 8930, National Institute of Standards and Technology, Gaithersburg, MD 20899-8930.
Dated: September 19, 2012
Willie E. May Associate Director for Laboratory Programs
[FR Doc. 2012-23608 Filed 09/24/2012 at 8:45 am; Publication Date: 09/25/2012]
DOWNLOAD THE ORIGINAL FILE HERE