Getting a Pentest? Try a Threat Model first!
Introduction
As the sports saying goes, “The best defense is a good offense.” The idea is to gain a strategic advantage against an opponent by anticipating their move and forcing them to be in a defensive, reactive state. The same applies to cyber security. With the age of cloud, Agile SDLCs, and ever-increasing attack surface, it has become imperative for businesses to embrace proactive security practices to effectively safeguard their assets and
systems. Often done alone, two vital approaches are Threat Modeling and Penetration Testing.
Assessing vulnerability risks with the Exploit Prediction Scoring System (EPSS)
Part 1: History of EPSS
Proactive vulnerability management is of critical importance in helping organizations identify and address security weaknesses before they can be exploited — reducing the risk of data breaches, downtime, and reputational damage. Assessing, tracking, and remediating vulnerabilities in systems is a responsibility shared by security teams, developer teams, and business owners.
CMS Key Management Handbook
Background
This handbook aligns with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-57 series, the CMS IS2P2, and the CMS Acceptable Risk Safeguards (ARS).
Read the CMS ISSO Journal
What is the ISSO Journal?
The ISSO Journal was established to share knowledge among CMS Information System Security Officers (ISSOs) and promote ongoing role-based education. As the publication evolved over time, it now serves the entire CMS cybersecurity community with the latest insights on security and privacy topics. It provides information about cybersecurity trends and developments at CMS to support ISSOs and decision makers alike.
Watch and Learn: System Categorization in CFACTS
Each new CMS FISMA system must define its security categorization based on the Federal Information Processing Standards Publication 199 (FIPS 199). Each system must be reviewed in the following categories:
- Confidentiality
- Integrity
- Availability
During review, each category is assigned a rating of low, moderate, or high impact. The most severe rating from any category becomes the system's overall security categorization.
Template management is changing at ISPG: what you need to know
The debut of CyberGeek has allowed ISPG to re-evaluate the way we publish and manage our core documents. CyberGeek is now the official ISPG website and serves as the single-source of truth for security and privacy at CMS that provides:
The 7 Tenets of Zero Trust for ISSOs and ADOs
As part of their white paper on Zero Trust SP-800-207, NIST identified Seven Tenets that form the foundation of Zero Trust. The Zero Trust Workgroup at CMS has applied these tenets to CMS IT. CMS has many initiatives that support Zero Trust architecture, so engaging with those early can set your project up for a more mature Zero Trust architecture in the future and increase security now.