The trademark office said the data leak affected about 3% of the total number of trademark applicants filed during the three-year period and that the issue was fully fixed on April 1, without any data having been misused. 

“Upon discovery, the USPTO reported the data exposure to the Department’s Senior Agency Official for Privacy and it’s Enterprise Security Operations Center, which in turn reported the exposure to the Department of Homeland Security. As you are aware, the USPTO also notified affected parties of the exposure,” a USPTO spokesperson emailed FedScoop.

“The USPTO has no reason to believe that the data has been misused,” the spokesperson added.

U.S. law requires trademark applicants to include their private address when submitting an application in order to combat fraudulent trademark filings.

The trademark office said in a notice sent to all those impacted by the data leak that by April 1 the issue had been fully fixed by properly masking all of the private addresses and correcting all system vulnerabilities found.

The trademark office said that in February it discovered that private domicile addresses that should have been hidden from public view appeared in records retrieved through some application programming interfaces (APIs) of the Trademark Status and Document Review system (TSDR). The APIs are used in apps by both agency staff and trademark filers to access the TSDR system for checking the status of pending and registered trademarks.

Some private addresses also appeared on the bulk data portal of the USPTO website.

The trademark office highlighted that as a federal government agency, the USPTO does not have the same reporting requirements as a private company or a state or local agency would and does have a process whereby those who do not want their address to be shown publicly can request that it is not made public or they can waive the requirement altogether.

Details of the USPTO leak were first reported by TechCrunch.

The post US Patent and Trademark Office data leak exposed 61K private addresses  appeared first on FedScoop.

On June 13, CISA issued a binding operational directive ordering civilian agencies to remove from the internet any “networked management devices,” making them accessible only from an internal network, or to deploy zero-trust capabilities into their network architecture so an agency administrator can enforce access controls separate from the interface. Agencies were required to do so within two weeks of notification of such devices being connected to the internet.

Censys — a cybersecurity firm that specializes in threat-hunting across devices connected to the internet — used its platform to analyze more than 50 federal civilian branch agencies’ publicly exposed devices that they use to manage networks from the internet. It found ” hundreds of publicly exposed devices within the scope outlined in the [CISA] directive.”

“In the course of our research, we discovered nearly 250 instances of web interfaces for hosts exposing network appliances, many of which were running remote protocols such as SSH and TELNET. Among these were various Cisco network devices with exposed Adaptive Security Device Manager interfaces, enterprise Cradlepoint router interfaces exposing wireless network details, and many popular firewall solutions such as Fortinet Fortiguard and SonicWall appliances,” Censys wrote in a blog post sharing its findings.

In the post, the company explained: “These internet-exposed devices have long been the low-hanging fruit for threat actors to gain unauthorized access to important assets, and it’s encouraging that the federal government is taking this step to proactively improve their overall security posture and those of their adjacent systems.”

Censys also found more than “15 instances of exposed remote access protocols such as FTP, SMB, NetBIOS, and SNMP” — protocols that the firm says “have a history of security vulnerabilities, and exposing them to the internet raises the risk of being targeted by threat actors trying to gain remote unauthorized access to government infrastructure” — and “[m]ultiple out-of-band remote server management devices such as Lantronix SLC console servers,” which CISA said in its directive “should never be directly accessible via the public internet.”

To help civilian agencies meet the requirements of the directive, CISA issued accompanying implementation guidance with additional background and commonly asked questions.

The post ‘Hundreds’ of agency internet-connected devices found running in violation of recent CISA directive, cyber firm reports appeared first on FedScoop.

With the project, the federal cybersecurity agency has issued an extensible visibility reference framework guidebook and a technical reference architecture document, which it says will help public and private entities implement cloud cybersecurity best practices.

The fresh guidance comes after CISA in October issued recommended Microsoft 365 security configuration baselines for use in cloud security pilots by federal agencies and for public comment.

CISA’s Secure Cloud Business Applications project is focused on helping to protect sensitive information by providing agencies with minimum system specifications they must adhere to.

According to the agency, the technical reference architecture document is focused on helping government agencies to adopt technology for cloud deployment, adaptable solutions and zero-trust frameworks.

Commenting on the new documentation, CISA Executive Assistant for Cybersecurity Eric Goldstein said: “As evidenced by supply chain compromises and associated cyber threat campaigns, persistent threat actors continue to evolve their capabilities with the intent to compromise federal government networks and critical infrastructure, whether on on-premises or cloud-based environments.”

“The final eVRF and TRA provides all organizations, including federal agencies, with adaptable, flexible, and timely guidance. These resources will help organizations address cybersecurity and visibility gaps that have long hampered our collective ability to adequately understand and manage cyber risk,” he said.

Last month, a report issued by the Government Accountability Office found that four federal agencies were not fully implementing requirements set out in the Federal Risk and Authorization Management Program.

Despite the decade-old mandate that agencies use FedRAMP to ensure services meet federal cloud security standards, the four departments — Treasury, Labor, Homeland Security and Agriculture — inconsistently implemented the program’s requirements, according to the audit.

The post CISA issues updated cloud security resources for federal agencies appeared first on FedScoop.

CISA is looking to modernize parts of EINSTEIN — the program also known as the National Cybersecurity Protection System, which provides a frontline capability to monitor network traffic in and out of federal civilian branch agencies and situational awareness of malicious activity across the federal government — as “evolutions of technologies and threat landscapes have highlighted limitations in the EINSTEIN capabilities and the benefits it provides,” the agency said in a request for information published this week.

This means replacing sensors on agency networks that have been in place, in some cases, for a decade or longer. Specifically, CISA is considering changes to EINSTEIN 1 and EINSTEIN 2, which monitor traffic routed in and out of physical networks and systems.

“The visibility provided by existing EINSTEIN sensors remains a crucial enabler of CISA’s mission to protect [federal civilian executive branch] agencies,” reads the RFI, posted by the General Services Administration on behalf of CISA. “It is one component that CISA uses to gain operational visibility, protect FCEB agencies, and respond to threats. With the limitations of EINSTEIN capabilities, CISA stands to lose that needed visibility. Consequently, a new solution may be necessary to compensate for this loss of visibility to protect FCEB agencies adequately.”

Federal agencies’ enterprise IT architectures have been modernized and have evolved, largely by migrating to the cloud, since EINSTEIN was first introduced in 2003 and subsequently added to. This means CISA and agencies will need to also “consider other broader strategies beyond replacing the existing footprint of EINSTIEN capabilities (e.g., optimal placements in federal agencies, new technologies/techniques to maximize visibility, etc.).”

“For future CISA needs, the augmentation or replacement of this visibility must be considered within the current networking environment and how it may be combined and used with other data sources acquired by CISA analysts,” the RFI reads.

Industry responses are due by July 14.

The contract motion comes after CISA, in the fiscal 2024 president’s budget proposal, requested $425 million to restructure parts of EINSTEIN into a new Cyber Analytics and Data System. That system is meant to provide “tools and capabilities to facilitate the ingestion and integration of data as well as orchestrate and automate the analysis of data that supports the rapid identification, detection, mitigation, and prevention of malicious cyber activity.”

The 2024 budget request also called for $67 million for EINSTEIN and another $408 million for the agency’s Continuous Diagnostics and Mitigation (CDM) program, which provides agencies with a “window into the security posture of agency computers, servers, and other Internet-connected devices.”

CISA recently released a separate RFI for deploying new CDM capabilities across the federal government.

The post CISA considering the future state of EINSTEIN as agencies modernize appeared first on FedScoop.

The Administrative Office of the U.S. Courts (AO), the arm of the federal courts that deals with non-judicial business, wants information about a product that regularly simulates threats to test cybersecurity, known as a “Breach and Attack Simulation,” according to a request for information posted online.

The AO is looking for a product that “will enable continuous and consistent testing of multiple attack vectors against the Courts’ assets, including external and insider threats, lateral movement, and data exfiltration,” the solicitation said.

The courts’ Information Technology Security Office would use a Breach and Attack Simulation product to “identify the levels of risk that may not be readily apparent,” the solicitation said. 

The judiciary, like other federal entities, has been the subject of cyberattacks in recent years, and those attempts are expected to become more acute. 

In its fiscal year 2024 budget request, the judiciary disclosed its cyber-defenses halted “approximately 600 million harmful events from reaching court local area networks in 2022.” It previously reported those defenses stopped 43 million “harmful events” in 2020. 

The judiciary, in the most recent budget request, said it expected cyberattacks to “continue to intensify as hackers become increasingly proficient.”

The Administrative Office didn’t immediately have more details on the solicitation.

The post Federal courts exploring breach and attack simulation for cyber threats appeared first on FedScoop.

“Cybersecurity is a national security matter,” Matthew G. Olsen, assistant attorney general of the Justice Department’s National Security Division, said in a Tuesday event at Stanford’s Hoover Institution announcing the new section.

The section, which will be known as NatSec Cyber, will allow the National Security Division to “increase the scale and speed” of their disruption campaigns and prosecutions of cyber threats from nation-states and state-sponsored cybercriminals, Olsen said. The section already has congressional approval.

The creation of the new section is a response to findings from a cyber review in July 2022, DOJ said in an accompanying release. That report from Deputy Attorney General Lisa O. Monaco found the department needed to have personnel in place that are well-versed in understanding the intricacies of cyber breaches and attacks. 

Adding the section puts cyber work on “equal footing” with the other sections within the National Security Division, Olsen said. Leadership will be organized by geographical threat actors, which mirrors the structure of the FBI’s cyber division in an effort to aid their integration, he said.

The section will also be a resource for U.S. attorney offices around the country, Olsen said. 

“Responding to highly technical cyber threats often requires significant time and resources, and that’s not always possible within the demands of these individual U.S. attorney’s offices,” he said. 

Olsen said his goal for the new section is that it will “serve as something of an incubator” for cyber cases, investing time and energy early on to “ensure they’re properly handled.”

The post Justice Department adds new cyber-threat focused litigating section appeared first on FedScoop.

In a binding operational directive, CISA said bad actors are taking aim at “certain classes of network devices to gain unrestricted access to organizational networks leading to full scale compromises.”

As a result, the federal cybersecurity agency has ordered federal executive branch agencies to remove from the internet any “networked management devices,” making them accessible only from an internal network, or to deploy zero-trust capabilities into their network architecture so an agency administrator can enforce access controls separate from the interface.

In line with the Biden administration’s broader push for zero-trust security across the government, CISA’s preference is that agencies take the zero-trust approach. CISA in April issued a second version of its Zero Trust Maturity Model.

CISA classifies “networked management devices” as those devices that reside on or support federal information systems like routers, switches, firewalls, VPN concentrators, proxies, load balancers, and out of band server management interfaces that also connect to greater internet and use network protocols for remote management. That includes protocols like Hypertext Transfer Protocol (HTTP), Hypertext Transfer Protocol Secure (HTTPS), File Transfer Protocol (FTP), and others.

CISA gives a common example of such a configuration: “An agency employs a router that manages traffic inside their network. The router’s web management interface, used by an agency administrator, is accessible via HTTPS. The management interface is reachable by an entity directly from the public-facing internet. In this example, the management interface would fit the scope of the BOD and will be subject to the Required Actions.”

“As agencies and organizations have gained better visibility of their networks and improved endpoint detection and response, threat actors have adjusted tactics to evade these protections by targeting network devices supporting the underlying network infrastructure. Recent threat campaigns underscore the grave risk to the federal enterprise posed by improperly configured network devices,” the directive states.

As threat actors target misconfigured, insecure, or out-of-date network devices, the risk is even greater if they are connected to and accessible from the public internet, CISA says.

CISA will scan for such agency devices connected to the internet and notify agencies. Within 14 days of that notification or an independent discovery, agencies will be required to disconnect the devices from the internet or take corrective actions implementing zero-trust capabilities.

On top of this, CISA has directed agencies to implement technical controls for existing and newly added devices to take the same action of restricting them to an internal network or fortifying them with zero-trust access controls.

To help civilian agencies meet the requirements of the directive, CISA issued accompanying implementation guidance with additional background and commonly asked questions.

The post CISA directs agencies to disconnect ‘networked management devices’ from the internet appeared first on FedScoop.

The U.S. Government Accountability Office, in a Monday report, said it found the NNSA and its contractors are still in the early stages of inventorying the operational technology systems used in the production of nuclear weapons and the IT systems used within those weapons. The agency is also in the early stages of assessing and mitigating the risks those systems might pose, the report said.

The findings come after a September 2022 GAO report that found the agency didn’t have a cybersecurity risk management strategy for nuclear weapons IT systems. The new report focuses on the two areas where the most additional work was still needed: operational technologies and nuclear weapons IT. 

Allison Bawden, a co-author of the report and a director of GAO’s Natural Resources and Environment team, said what the team behind the report found was “they’re really pretty early on in terms of identifying those system risks, so that they can develop appropriate risk mitigation strategies.”

Bawden described those two issues explored in the report as “substantially different.”

With operational technology, there could be tens of thousands of systems that need to be identified, Bawden said. Whereas in the nuclear weapons area, there isn’t a large amount of IT in existing current nuclear weapons designs and therefore is a more “manageable environment” from a system risk perspective, she said.

The Department of Energy, under which the NNSA sits, didn’t immediately respond to a request for comment on the findings.

The report found NNSA’s work on creating an inventory of operational technologies, which encompasses things like building safety systems, has “been limited in scope.” The agency has identified the systems “associated with the most critical capability at each site” and is conducting assessments, the report found.

Bawden said that process is “really going to need concerted attention going forward in order to get that inventorying process complete so that system risks are well understood and can be mitigated.”

On nuclear weapons IT, the agency had still yet to define the term as of May, the report said. The GAO said agency officials told them they will identify systems that fit that category once the term is formally defined. 

While nuclear weapons IT is a more manageable risk environment right now, modern technologies could present new challenges, Bawden said. 

As most of the systems are undergoing modernization, she said, “it could be feasible that additional components will be introduced into new systems designs that present cyber risks.”

The post Nuclear security agency still in early stages of weapons cybersecurity, watchdog says appeared first on FedScoop.

Discussing CISA’s recently issued guidance to software vendors on developing code that is “secure by design and secure by default,” Easterly said Monday in a conversation at the Aspen Institute in D.C. that “government can have a big role” in incentivizing and driving private companies to employ those principles just by doing business with the ones that do.

“And that will help, I think, drive a good portion of the market to start creating products that come with less and less vulnerabilities,” Easterly said, pointing to President Biden’s cybersecurity executive order 14028 from 2021, which similarly calls on the government to lead the market shift with its purchasing power.

That EO, she said, “talks a lot about how you can use the government’s purchasing power to drive vendors to create safer products and to ensure that you have standards built-in.”

“We’re going through the Federal Acquisition Regulation process, which is very Byzantine and very bureaucratic, but hopefully we’ll get there,” Easterly said of creating rules that could require federal agencies to buy from vendors that have software that’s secure-by-design and -default.

CISA, in partnership with the White House, is currently in the process of accepting comments on an Office of Management and Budget rule that will require software firms to provide self-attestation forms stating that they have complied “with Federal Government-specified secure software development practices” as laid out in the National Institute of Standards and Technology’s Secure Software Development Framework.

As FedScoop first reported last week, the final version of the form that will be used for that process has not yet been approved, with the deadline for CISA’s comment period coming June 26. A senior official told FedScoop that OMB would “work fast” to approve the final version of the form once the industry comment period closes.

It’s not an easy transformation to shift the software industry toward being more transparent about risks, Easterly explained, as “we are dealing with decades of misaligned incentives.”

“It’s really been decades and decades of companies putting speed to market and features over safety and security,” she said. “And so what we want to do is essentially, be able to send market signals, because that’s what’s been missing: A clear signal so that consumers know what to ask for. And that’s the conversation that we’re starting. Consumers need to know.”

Along those lines, CISA is calling on vendors to be radically transparent and to “actually put out information about how secure their products are,” Easterly said.

“So all these things that consumers typically sort of think are kind of magic … and then they sign their agreement to accept liability, which essentially is what you do when you turn on a device — we’re really trying to make sure” consumers are educated about what they’re using, the CISA director said.

The post CISA’s Easterly points to government’s ‘purchasing power’ as a tool to force secure software development appeared first on FedScoop.

In a Thursday report, the VA’s Office of Inspector General revealed that the St. Cloud VA Medical Center didn’t meet federal information security guidelines in three of the four areas it investigated: configuration management, contingency planning, and access controls. The only category without deficiencies was security management controls.

The VA has struggled to implement the information security standards in the Federal Information Security Modernization Act of 2014 (FISMA), according to the report. The inspector general found the VA “continues to face significant challenges meeting the law’s requirements” in a fiscal year 2021 audit. 

The inspector general made eight recommendations to the information and technology chief information officer and two to the medical center director in the Thursday report, including implementing more effective processes for vulnerability management, inventory of network devices, and preventing use of prohibited software.

While the inspection was specific to the St. Cloud center, the report noted “other facilities across VA could benefit from reviewing this information and considering these recommendations.”

Among the issues found in the review were deficiencies in the medical center’s vulnerability management, which the report said “prior FISMA audits have repeatedly found.” 

Those issues included operating systems that weren’t supported by the vendor anymore and missing security patches in applications. While the Office of Information Technology (OIT) routinely scans for vulnerabilities, it didn’t detect all of the issues the inspection team found when it used the same tools for vulnerability scanning, the report said.

Security patches hadn’t been applied in several devices with “critical and high-risk vulnerabilities,” the report said. “Without these controls, VA may be placing critical systems at unnecessary risk of unauthorized access, alteration, or destruction.”

The review also found that the medical center failed to keep an accurate inventory of its information systems and discovered 19 “special-purpose systems” running Windows XP, which the report said “has not been supported in over eight years and is prohibited by OIT.”

The medical center’s data center also didn’t have an operational video surveillance system when the inspection team visited the facility, which it said “minimizes incident response capabilities of the security force in the event of compromised security controls.”

In a response included in the report, the assistant secretary for information and technology and chief information officer agreed with most of the recommendations and said he submitted action plans.

The CIO didn’t agree with the inspector general’s recommendation for a more effective inventory of network devices, arguing devices the inspection team found that weren’t accounted for in inventories were improperly identified.

The post Watchdog finds IT security issues at VA medical center in Minnesota appeared first on FedScoop.