The National Institute of Standards and Technology has released the final updated version of its Cybersecurity Framework designed to help organizations manage and mitigate cybersecurity risks.

Cybersecurity Framework 2.0 supports the National Cybersecurity Strategy’s implementation and has a new governance component that highlights the need for organizations to make and execute informed decisions on cybersecurity strategy.

The governance component is in addition to the five original main functions of the framework: identify, protect, detect, respond and recover.

Laurie Locascio, director of NIST and under secretary of Commerce for standards and technology, said the framework has been a key tool that helps organizations anticipate and manage cybersecurity threats.

“CSF 2.0, which builds on previous versions, is not just about one document. It is about a suite of resources that can be customized and used individually or in combination over time as an organization’s cybersecurity needs change and its capabilities evolve,” Locascio added.

In August, NIST opened the draft of the revised framework for public comment. The framework was first released in 2014.

The latest edition comes with a new reference tool to allow users to search and export data from the framework’s core guidance in machine-readable and human-consumable formats as well as a searchable catalog of informative references.

Register here to attend the Potomac Officers Club’s 2024 Cyber Summit on June 6 and hear cyber experts, government and industry leaders discuss the latest trends and the dynamic role of cyber in the public sector.

The National Security Agency and partners from the U.S., Canada, Australia, the U.K. and New Zealand have released a joint cybersecurity advisory outlining the tactics, techniques and procedures used by Russian foreign intelligence service, or SVR, cyber actors to infiltrate cloud-hosted networks.

The advisory focuses on how the Russian SVR cyber actors, also known as APT29, Midnight Blizzard, the Dukes or Cozy Bear, target an organization’s cloud environment by logging into inactive accounts and automated system accounts using techniques such as password spraying.

“We, along with our valued partners in the U.K., have seen the potential for Russian state actors to infiltrate cloud environments and we’re responding accordingly. As the world modernizes their systems, we need to do all we can to reduce the attack surface for cyber actors to penetrate,” said Rob Joyce, NSA’s director of cybersecurity and a two-time Wash100 awardee.

According to the advisory, SVR threat actors have previously targeted governmental, think tank, healthcare and energy sectors and are expanding their campaigns to include aviation, law enforcement, education, defense and local and state governments.

To mitigate the threats, the advisory recommends that network defenders and organizations enforce cybersecurity measures, including system account management, conditional access policies, device enrollment, strong passwords, multifactor authentication and system updates.

The Potomac Officers Club will host the 2024 Cyber Summit on June 6 to discuss the ever-evolving role of cyber across the government sector. Click here to register!

The Cybersecurity and Infrastructure Security Agency within the Department of Homeland Security plans to launch a competition for a requirement to provide critical infrastructure risk analysis and planning services in support of the National Risk Management Center’s mission.

CISA intends to award the requirement through the OASIS contract vehicle, which stands for One Acquisition Solution for Integrated Services, according to a notice published Monday in the Acquisition Planning Forecast System.

Contract work includes conducting data analytics; performing risk analysis; aligning requirements, capabilities and data available to the National Risk Management Center to understand and mitigate risks to critical infrastructure; reviewing and analyzing systems and assets to identify risks for cascading impacts; and supporting potential work surges to back changing priorities.

CISA anticipates the release of a solicitation for the new requirement by April 9.

The planned requirement has an estimated value of between $20 million and $50 million and is expected to be awarded by the third quarter of fiscal year 2024.

Work will be performed in Arlington, Virginia, with an expected completion date of Sept. 26, 2025, according to APFS.

Join the Potomac Officers Club’s 2024 Cyber Summit on June 6 and hear cyber experts, government and industry leaders discuss the latest trends and the dynamic role of cyber in the public sector. Register here.

The White House Office of the National Cyber Director is urging technical and research sectors to do their part in implementing secure-by-design and memory-safe principles in software development.

In a report released Monday, ONCD analyzed common vulnerabilities and exposures and found that the most common cause of software bugs since the 1980s are memory safety vulnerabilities.

Software and hardware creators have the ability to proactively prevent these flaws by designing memory-safe programming languages, according to the report. Its recommendations are based in part on request for information responses from the private sector and academic community.

ONCD also called on the research community to develop diagnostic approaches for software measurability and memory safety.

“This report was created for engineers by engineers because we know they can make the architecture and design decisions about the building blocks they consume – and this will have a tremendous effect on our ability to reduce the threat surface, protect the digital ecosystem and ultimately, the Nation,” said Anjana Rajan, assistant national cyber director for technology security.