by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
FCW : June 30, 2015
June 30, 2015 FCW.COM 19 When a major vulnerability hits the Web, it is the U.S. Computer Emergency Readi- ness Team’s job to sound the alarm as quickly and effectively as possible. And given Heartbleed, Shellshock and other menacing revelations, US-CERT has had plenty of clamoring to do in the past year or so. Internet users can subscribe to four separate US-CERT mailing lists, with “alerts” being the most urgent. Those alerts often include descriptions that are not overly technical so that a non-geek can understand them and take remedial security steps. For instance, the alert for Heartbleed, the OpenSSL flaw discovered in April 2014, states: “This flaw allows a remote attacker to retrieve private memory of an applica- tion that uses the vulnerable OpenSSL library in chunks of 64K at a time.” Users can rate the helpfulness of the alert as “yes,” “no” or “somewhat” at the bottom of each update. That feedback is presumably factored into how future alerts are crafted. Although US-CERT is one of the main disseminators of threat informa- tion, it does not work alone. As part of the Department of Homeland Security’s National Cybersecurity and Communica- tions Integration Center, the team has tapped the FBI, the Financial Services Information Sharing and Analysis Center, trusted private firms and a Canadian cyber response center for help in preparing alerts. Like other federal offices that handle cybersecurity, US-CERT’s effectiveness rests on breaking down bureaucratic bar- riers so that it can act more quickly on threats, which can spread like wildfire. US-CERT Director Ann Barron-DiCamil- lo said in a recent interview that industry is always interested in getting information more quickly and with greater context. Therefore, her team is working with intelli- gence agencies to strip relevant data from classified reports, she added. Top-secret intelligence reports on cyberthreats contain technical data that is not classified, and separating that infor- mation “has been a huge focus, and it’s really helping with the timeliness as well as richer content associated with what we’re sharing,” she said. n How US-CERT gets the word out The U.S. Computer Emergency Readiness Team collaborates with other federal agencies and industry to quickly disseminate cyberthreat alerts BY SEAN LYNGAAS In 2011, the term ERM might have been more broadly recognized than the understanding of the underly- ing concepts, but organizations have since sought to improve on that under- standing. The winter 2013 edition of the Armed Forces Comptroller, the jour- nal of the American Society of Military Comptrollers, focused largely on ERM, thereby helping to spread the word in that community. An additional effort aimed at helping inform the federal community about ERM principles and practices was the publication of the book “Managing Risk and Performance: A Guide for Govern- ment Decision Makers” (Wiley, 2014), co-edited by the authors of this report. Despite the initially slow progress and misunderstanding of the term “ERM,” concrete progress is now demonstrably underway. In the book just referenced, the last of 10 recom- mendations offered for the federal government was to “incorporate ERM explicitly into Circular A-11 and [Office of Management and Budget] reviews of agencies.” On July 25, 2014, OMB released an update to Circular A-11 (its annual guidance to agencies on the prepara- tion of their budget submissions) that recognized ERM as an important prac- tice for managing agency risk. OMB’s efforts to encourage an ERM approach OMB’s current interest in ERM has evolved over time but became more evident early in 2013. OMB began work- ing with the Government Accountabil- ity Office to provide input on an update 0630fcw_012-025.indd 19 6/10/15 9:40 AM
June 15, 2015
July 15, 2015