Articles

Part 1: History of EPSS

Proactive vulnerability management is of critical importance in helping organizations identify and address security weaknesses before they can be exploited — reducing the risk of data breaches, downtime, and reputational damage. Assessing, tracking, and remediating vulnerabilities in systems is a responsibility shared by security teams, developer teams, and business owners.

Cyber resilience is difficult to quantify, implement, and measure. What we definitely know is it breaks down into proactive and reactive approaches to security. Reactive resilience is what happens after the incident: how quickly can we identify, contain, eradicate, and recover from the attack? Proactive resilience addresses understanding the attack surface and the ability to identify and thwart attacks before they happen.

What is the ISSO Journal?

The ISSO Journal was established to share knowledge among CMS Information System Security Officers (ISSOs) and promote ongoing role-based education. As the publication evolved over time, it now serves the entire CMS cybersecurity community with the latest insights on security and privacy topics. It provides information about cybersecurity trends and developments at CMS to support ISSOs and decision makers alike. 

Each new CMS FISMA system must define its security categorization based on the Federal Information Processing Standards Publication 199 (FIPS 199). Each system must be reviewed in the following categories: 

• Confidentiality
• Integrity
• Availability 

During review, each category is assigned a rating of low, moderate, or high impact. The most severe rating from any category becomes the system's overall security categorization. 

As part of their white paper on Zero Trust SP-800-207, NIST identified Seven Tenets that form the foundation of Zero Trust. The Zero Trust Workgroup at CMS has applied these tenets to CMS IT. CMS has many initiatives that support Zero Trust architecture, so engaging with those early can set your project up for a more mature Zero Trust architecture in the future and increase security now.

In April 2023, the Cybersecurity and Infrastructure Security Agency (CISA) released version two of their Zero Trust Maturity Model (ZTMM). This version incorporates feedback from experts and the community in response to their initial June 2021 draft. CISA has kept its conceptual view of a Zero Trust Architecture (ZTA),  incorporating five pillars and three cross-cutting capabilities. However, it has significantly reviewed the functions that build each pillar and capability.

In today's increasingly digital world, cybersecurity has become an essential component of any organization's risk management strategy. Threat modeling is a key technique used by cybersecurity professionals to identify, prioritize, and mitigate potential threats and vulnerabilities in their systems and applications. There are various threat modeling methodologies used in the industry, but three of the most commonly used are STRIDE, DREAD, and PASTA.

In today's digital landscape, organizations face an ever-evolving array of cyber threats that can compromise their critical data assets. As technology advances, so do the tactics employed by malicious actors seeking to infiltrate networks, steal sensitive information, and cause damage. To counter these threats, it is crucial for organizations to assess their security posture comprehensively and proactively. This is where the Red Team Engagements come into play.

What is the Executive Order?

The Executive Order on Improving the Nation's Cybersecurity (Executive Order 14028) is an important step forward in protecting Americans from cyber threats. The order, signed by President Biden on May 11, 2021, focuses on strengthening the cybersecurity of the federal government, critical infrastructure, and the private sector.

Zero Trust is a cybersecurity model that offers protection for CMS systems, employees and beneficiaries through continuous validation at every stage of a digital interaction. 

As CMS continues to modernize its systems and practices, the agency is implementing Zero Trust and its strong authentication methods, network segmentation, threat prevention, and “least access” policies to benefit everyone.