NIST had a Continuous Monitoring (CM) workshop several months ago to solicit feedback and discuss a technical reference model, as described in draft Internal Report (IR) 7756: An Enterprise Continuous Monitoring Technical Reference Architecture.

The outcome was for NIST to propose technical workflows, subsystems, interfaces, and bindings to SCAP (asset, configuration, and vulnerability management).

NIST has just announced that the requested content is ready for review. They have setup weekly meetings for Thursdays at 10 am Pacific, starting August 18th with a general model discussion. A specific workflow or subsystem will be the subject of each following meeting. Details for the meetings will be communicated to the Emerging Specification Development List. The results of these meetings will be presented at the 7th IT Security Automation Conference.

Peiter Zatko says DARPA RA-11-52 CTF (Cyber Fast Track) was “launched about 18 hours ago”, which confirms a couple things:

1. Cyber is a term not going away anytime soon
2. The US government is going to try being a more overt and transparent supporter of Blackhat researchers (i.e. friends and colleagues of Peiter Zatko — “guys in my address book”)

Details on how to apply are online. Given that money is being pulled out of US education, this may offer an alternative path or a softer landing for students who hope to create software.

We need help and we have money

Opposite approaches to bicycle safety compliance enforcement, as documented on opposite sides of the Atlantic.

First, New York City police ticketed a cyclist for avoiding obstructions, which led to a sarcastic video response:

Second the Mayor of Vilnius, in a sarcastic video, warns that even high-value obstructions to the bicycle lane will be destroyed and then removed:

The PDF transcript from our Focus roundtable discussion on FISMA for cloud environments is now available.

In this roundtable teleconference, Focus Experts discussed cloud computing as it relates to government agencies.

Topics included:

• What are the factors that would influence a government organization’s decision to use the cloud services of another agency versus those of a private sector service?
• What kinds of issues should cloud service providers be prepared to deal with when providing services to government entities?
• Other than security, what other barriers to entry exist for government cloud adoption?
• Do recent security incidents help or hurt the case for government cloud computing?
• Are cloud providers ready to achieve government requirements?
• Can NIST recommendations alone achieve a sufficient level of cloud security?
• Is FISMA workable in the cloud, or is it time for a restart?