CSEAT will review agencies' security for free

CSEAT will review agencies' security for free

By Susan M. Menke

GCN Staff


JULY 30'The National Institute of Standards and Technology has set up a computer security expert assist team, called CSEAT, to improve agencies' infrastructure protection and share best security practices.

'It was kind of a surprise' to get a budget line item for CSEAT, said its director, Kathy Lyons-Burke. 'We didn't expect Congress to give us the money.'

The first review started in June at the Federal Emergency Management Agency. The process takes about three months. 'We don't give a grade, and we don't break in,' Lyons-Burke said. 'We will apply consistent control objectives and criteria' across agencies and eventually draw an overall comparative picture of federal security policy.

NIST's independent reviews will not duplicate the work of existing computer emergency response teams or of the Federal Computer Incident Response Capability, the National Infrastructure Protection Center or the Critical Infrastructure Assurance Office, Lyons-Burke said. CSEAT will come in only at an agency's request or, for high-risk programs, with a push from the Office of Management and Budget.

Each review will produce high-level findings, a 'sanity check' of how well personnel understand policies, and a report with prioritized recommendations, she said. Although there is no cost to the agency except for providing documentation and a contact, NIST requires agency feedback after 30 days and again after 180 days about which recommendations were followed and why.

Agencies can request a security review by sending e-mail to [email protected]

Featured

  • automated processes (Nikolay Klimenko/Shutterstock.com)

    How the Army’s DORA bot cuts manual work for contracting professionals

    Thanks to robotic process automation, the time it takes Army contracting professionals to determine whether prospective vendors should receive a contract has been cut from an hour to just five minutes.

  • Russia prying into state, local networks

    A Russian state-sponsored advanced persistent threat actor targeting state, local, territorial and tribal government networks exfiltrated data from at least two victims.

Stay Connected