Morning Security Brief: IT Supply Chain Security, New Federal IT Security Priorities, and FTC Privacy Report Introduced
A new Government Accountability Office report recommends that the federal government strengthen the information security global supply chain. In addition, a top cybersecurity official outlines federal IT security priorities, and the Federal Trade Commission introduces a new privacy report.
♦ In a new report , the Government Accountability Office (GAO) urged federal agencies to improve the security of the global IT supply chain. The GAO examined four agencies in the report: the Departments of Energy, Homeland Security, Justice, and Defense. The report described several major threats to the IT supply chain, including the installation of harmful or counterfeit hardware or software as well as failure or disruption in the production or distribution of critical products. One report conclusion was that the Energy and Homeland Security departments had “not yet defined supply chain protection measures for department information systems and are not in a position to develop implementing procedures and monitoring capabilities.” The Justice Department “has defined supply chain protection measures but has not developed implementation procedures or monitoring capabilities.” In contrast, the Department of Defense appears to have made more progress, according to the report, having “defined supply chain protection measures and implementing procedures and initiated efforts to monitor compliance and effectiveness.”
♦ The White House’s cybersecurity coordinator, Howard Schmidt, recently outlined three major priorities that are needed to strengthen federal IT security. These areas, which Schmidt described in a blog post , include strengthening the security involved in connecting to the Internet. Another main goal is improving the continuous monitoring of federal information systems. As far as the latter, a major aim is to transform “the otherwise static security control assessment and authorization process into a dynamic risk mitigation program that provides essential, near real-time security status and remediation,” Schmidt wrote. A third major goal is to strengthen authentication. “Passwords alone provide little security.” The blog stated that the main security aims had been decided upon by Schmidt along with other federal cybersecurity experts from agencies including the Departments of Homeland Security and Defense as well as the National Institute of Standards and Technology and the Office of Management and Budget.
♦ In Congressional testimony this week, Federal Trade Commission (FTC) chairman Jon Leibowitz described a new FTC privacy report and also suggested that Congress enact several types of privacy legislation. The new FTC report includes privacy recommendations and best practices for organizations and policymakers. It also reemphasizes the agency’s support for the continued implementation of a “Do Not Track” mechanism that would allow consumers to control the tracking of their online activities across Web sites. Report recommendations also include allowing consumers to have greater access to information about them that is held by data brokers. In testimony before the House Committee on Energy and Commerce Subcommittee on Commerce, Manufacturing, and Trade, the chairman suggested that Congress consider enacting general privacy legislation in addition to legislation on data security and breach notification. He also recommended the enactment of targeted legislation to address data brokers and how they handle and protect consumer information.