The Federal Risk and Authorization Management Program (FedRAMP) office and the National Institute of Standards and Technology (NIST) have introduced a machine-readable standard that works to automate the preparation, authorization and reuse of commercial cloud offerings for the government sector. 

Version 1.0.0 of the Open Security Controls Assessment Language offers (OSCAL) a common programming format for agencies, cloud service providers and third-party assessors that participate in FedRAMP, according to a blog post published Tuesday.

The FedRAMP office expects OSCAL to help vendors prepare and review system security plans faster before they submit content to the government.

OSCAL is designed to also reduce the time it takes for agencies to evaluate security authorization packages and for third-party assessment organizations to report audit work on cloud offerings.

The language features updated stable versions of different models including the catalog and profile, system security plan, component definition, and assessment plans and results for monitoring activities.

OSCAL 1.0.0 also has modernized tools for the conversion of OSCAL, XML and JSON formats. The FedRAMP office first unveiled its project to automate the cloud authorization process in December 2019.

John Mitchell, president and CEO of electronics manufacturing industry association IPC, said the Department of Defense (DOD) should give careful consideration to small and medium-sized businesses seeking to comply with the Cybersecurity Maturity Model Certification (CMMC) program.

“The Pentagon needs to take into consideration that most SMBs do not have dedicated cybersecurity personnel to achieve the prerequisites, and while many commercial electronics manufacturers have considerable business with the defense community, they themselves do not consider themselves a defense contractor,” Mitchell said in a statement published Tuesday.

IPC surveyed 108 electronic manufacturers, suppliers and contract manufacturers between Feb. 25th and March 5th and found that 24 percent of respondents said the costs and burdens associated with CMMC compliance may force their companies to exit the U.S. defense market.

According to the survey, 32 percent of respondents said they expect to be ready to undergo a CMMC assessment in one to two years. The majority of the respondents said their companies are willing to spend at least $50,000 on CMMC readiness.

Leslie Weinstein, author of the IPC report on CMMC, said DOD can use existing industry certifications and standards to help reduce the costs and address uncertainties associated with CMMC compliance.

“The DoD recognizes a variety of respected, industry-driven certifications when it comes to hiring cybersecurity professionals,” said Weinstein. “Taking the same approach to certifying suppliers would allow companies to invest more in security than in redundant audits, and it would quickly create a pool of companies who are able to bid on DoD solicitations containing the CMMC DFARS clause. And importantly, it would prevent further erosion of the U.S. defense industrial base.”

If you want to know more about the latest updates about the Cybersecurity Maturity Model Certification, then check out Potomac Officers Club’s CMMC Forum coming up on June 16th. 

CMMC Accreditation Body Chairman Karlton Johnson will serve as the keynote speaker for the Forum to provide his overview and vision of the CMMC Rollout as well as the top priorities for the board and how industry feedback will help to improve the vision behind how the organization develops for the first 100 days.

To register for this virtual forum and view other upcoming events, visit the POC Events page. 

U.S. Indo-Pacific Command in its customary unfunded requirements list sent to Congress contains $889.94 million worth of projects and programs. INDOPACOM’s chief concern is more funding to develop a ballistic missile defense system for Guam. These lists are sent to Congress every year to help guide lawmakers as they decide what might require additional funding, DefenseNews reported on Tuesday.

INDOPACOM’s highest priority, a missile defense system for Guam would require $231.7 million in total. $77.2 million in procurement funding and $154.45 million in research and development.

The Missile Defense Agency (MDA) is planning to use $78.3 million in its FY22 base budget to inspect systems that could support the defense of Guam. The money would support detailed threat and requirements analysis, systems engineering, trade studies and specification updates.

Possible defenses for Guam are from the Aegis Combat System ships and the Terminal High Altitude Defense System (THAAD). They “are all part of that architecture consideration today, and we’re working that hard so that we can come forward and tell you exactly what we’re going to do on Guam,” commented Vice Adm. Jon Hill, MDA’s director, said during a June 9th hearing with the Senate Strategic Forces Subcommittee.

"Basing on Guam is critical to America’s goal to project its offensive power and deter possible threats in the INDOPACOM theater and that means the U.S. military must protect the island," Hill explained. 

Creating a dedicated missile defense capability on Guam would free up Navy ships to return to maneuver forces.

The Cybersecurity and Infrastructure Security Agency (CISA) has released a document to help organizations secure operational technology and control systems from ransomware threats. 

CISA said Wednesday that it advises organizations to develop manual controls that can maintain critical processes and industrial control systems amid ransomware risks.

The agency also recommends the implementation of regular backup procedures and a robust divide between information technology and OT networks.

The document also noted that backup procedures must be isolated from networks and that organizations must conduct continuous monitoring efforts.

CISA issued this guidance in response to recent incidents where cyber disruptions in IT networks also affected operational processes. The agency also advises organizations to report ransomware cases to law enforcement entities such as the FBI.

The National Cybersecurity Center of Excellence (NCCoE) has issued a draft report made to help organizations manage risks related to ransomware attacks.

NCCoE's Cybersecurity Framework Profile for Ransomware Risk Management draft defines security objectives to help parties prevent, address and recover from ransomware attacks, the National Institute of Standards and Technology (NIST) said Thursday.

Ransomware refers to encryption-based cyberattacks that block user access to information until an amount of money is paid. These attacks encrypt and potentially steal critical information, then propose to not leak the stolen data if the sum is paid.

NIST asks the public to comment and provide input on the draft. Interested parties may submit responses through July 9th.

Mike White, the principal director of hypersonics within the Office of the Undersecretary of Defense for Research and Engineering, said the technology he is in charge of is an important part of the military's modernization, DOD News reported Wednesday.

He said hypersonic weapons have the potential to strike high-priority targets and can sustain high-altitude flight at speeds near Mach 5. White said these characteristics make hypersonic missiles effective against long-range targets.

The Department of Defense (DOD) is working on hypersonic weapons applicable for launch from air, maritime and land domains. The three service branches corresponding to these domains, as well as the Missile Defense Agency (MDA), the Defense Advanced Research Projects Agency (DARPA) and other organizations, are working on various hypersonic technology projects.

The Department of Energy (DOE) will award $54 million worth of federal funding to 235 small businesses to support 266 research and development projects focused on advanced grid technologies, artificial intelligence, carbon capture and storage, solar and hydrogen power, electric vehicle batteries and other technological products that could help DOE record net-zero emissions by 2050.

DOE said Wednesday the awards are made through the Small Business Innovation Research and Small Business Technology Transfer (SBIR/STTR) programs that aim to boost commercialization of private sector-made technologies.

Secretary of Energy Jennifer Granholm considers small businesses as the backbone of the U.S. economy, "driving America’s leadership in energy efficiency, sustainable transportation and renewable power."

Some of the selected projects are on grid-smart building controls and workforce development and experiential bioenergy learning tools. Voss Scientific, one of the awardees, seeks to address thermal stress by working on high average-power laser amplifiers.

“With this round of federal funding, we’re going one step further to tap this homegrown resource to help bring the next generation of clean energy innovation to market while creating good-paying jobs across the private sector,” said Granholm.

Of the 235 awardees across 42 states, 29 are women-owned businesses.

The Government Accountability Office (GAO) has called on the Department of Homeland Security (DHS to fully implement risk management best practices with regard to its Homeland Advanced Recognition Technology (HART) program that seeks to replace its biometric identity management system. 

GAO assessed the HART program’s implementation of seven risk management practices and found that the program had fully implemented four of those best practices, according to a report published Tuesday.

Those practices are determining risk sources and categories, defining parameters to analyze and categorize risks, identifying and documenting risks and evaluating and categorizing each identified risk using defined risk categories.

Monitoring the status of each risk and developing a risk mitigation plan in accordance with the risk management strategy was among the practices partially implemented by DHS with regard to the HART program.

“While DHS has plans underway to fully implement two of the partially implemented practices until it fully implements the remaining practice its efforts to effectively monitor the status of risks and mitigation plans may be hampered,” the GAO report reads.

The congressional watchdog has recommended that DHS update its policy to reflect its revised process for assessing information technology programs.

According to the report, DHS plans to field the first increment of the potential $4.3 billion HART program in Dec. to replace the existing platform’s functionality. Succeeding increments are expected to be implemented in 2022 and 2024.