Dee Finney's blog
start date  July 20, 2011
Today's date June 3, 2012
page 234

TOPIC  FISMA:  HR-4257
House Approves FISMA
4/26/2012

WASHINGTON, DC — On a unanimous voice vote, the Federal Information Security Amendments Act of 2012 (HR 4257) was approved by the House of Representatives.

"Today's bipartisan approval of FISMA shows that Congress is serious about our nation's cybersecurity," said Rep. Darrell Issa, R-Calif., chairman of the House Oversight and Government Reform Committee and the bill's lead Republican sponsor. "FISMA 2002 is in desperate need of an update. This legislation will ensure that agencies are better prepared against real threats instead of the monotonous 'check the box' activity that FISMA has become."

The legislation's lead cosponsor is Rep. Elijah Cummings, D-Md., ranking member of the Oversight Committee

FISMA enhances the Federal Information Security Management Act (FISMA) of 2002 by improving the framework for securing information technology systems. It also establishes a mechanism for stronger oversight of information technology systems by focusing on automated and continuous monitoring of cybersecurity threats and regular "threat assessments." The nature of the threat necessitates automated and continuous monitoring, when possible, of information technology systems. This capability is already being utilized in some form by agencies, and the severity of the threat requires the eventual progression to achieve real time or near-real time continuous monitoring.

FISMA is available for review at Keepthewebopen.com.

 

fusna 2002

 

Federal Information Security Management Act (FISMA) Implementation Project

 

Protecting the Nation's Critical Information Infrastructure

Our Vision

To promote the development of key security standards and guidelines to support the implementation of and compliance with the Federal Information Security Management Act including:

  • Standards for categorizing information and information systems by mission impact
  • Standards for minimum security requirements for information and information systems
  • Guidance for selecting appropriate security controls for information systems
  • Guidance for assessing security controls in information systems and determining security control effectiveness
  • Guidance for the security authorization of information systems
  • Guidance for monitoring the security controls and the security authorization of information systems

Leading To...

  • The implementation of cost-effective, risk-based information security programs
  • The establishment of a level of security due diligence for federal agencies and contractors supporting the federal government
  • More consistent and cost-effective application of security controls across the federal information technology infrastructure
  • More consistent, comparable, and repeatable security control assessments
  • A better understanding of enterprise-wide mission risks resulting from the operation of information systems
  • More complete, reliable, and trustworthy information for authorizing officials--facilitating more informed security authorization decisions
  • More secure information systems within the federal government including the critical infrastructure of the United States

The FISMA Implementation Project was established in January 2003 to produce several key security standards and guidelines required by Congressional legislation. These publications include FIPS 199, FIPS 200, and NIST Special Publications 800-53, 800-59, and 800-60. Additional security guidance documents are being developed in support of the project including NIST Special Publications 800-37, 800-39, and 800-53A. It should be noted that the Computer Security Division continues to produce other security standards and guidelines in support of FISMA. These publications can be located by visiting the division's Publications page at: http://csrc.nist.gov/publications/.

 

Publications

Special Publications (800 Series)

Special Publications in the 800 series present documents of general interest to the computer security community. The Special Publication 800 series was established in 1990 to provide a separate identity for information technology security publications. This Special Publication 800 series reports on ITL's research, guidelines, and outreach efforts in computer security, and its collaborative activities with industry, government, and academic organizations.

Special Publications
Number Date Title
SP 800-155 Dec. 8, 2011 DRAFT BIOS Integrity Measurement Guidelines
draft-SP800-155_Dec2011.pdf
SP 800-153 Feb. 2012 Guidelines for Securing Wireless Local Area Networks (WLANs)
sp800-153.pdf
SP 800-147 Apr. 2011 Basic Input/Output System (BIOS) Protection Guidelines
NIST-SP800-147-April2011.pdf
SP 800-146 May 2012 Cloud Computing Synopsis and Recommendations
sp800-146.pdf
SP 800-145 Sept. 2011 A NIST Definition of Cloud Computing
SP800-145.pdf
SP 800-144 Dec. 2011 Guidelines on Security and Privacy in Public Cloud Computing
SP800-144.pdf
SP 800-142 Oct. 2010 Practical Combinatorial Testing
SP800-142-101006.pdf
SP 800-137 Sept. 2011 Information Security Continuous Monitoring for Federal Information Systems and Organizations
SP800-137-Final.pdf
SP 800-135 Rev. 1 Dec. 2011 Recommendation for Existing Application-Specific Key Derivation Functions
sp800-135-rev1.pdf
SP 800-133 Aug. 1, 2011 DRAFT Recommendation for Cryptographic Key Generation
Draft-SP-800-133_Key-Generation.pdf
SP 800-132 Dec. 2010 Recommendation for Password-Based Key Derivation Part 1: Storage Applications
nist-sp800-132.pdf
SP 800-131 C Feb. 10, 2011 DRAFT Transitions: Validating the Transition from FIPS 186-2 to FIPS 186-3
draft-SP800-131C_February2011.pdf
Comments-Received_draft-SP-800-131C.pdf
SP 800-131 B Feb. 10, 2011 DRAFT Transitions: Validation of Transitioning Cryptographic Algorithm and Key Lengths
draft-SP800-131B_February2011.pdf
Comments-Received_draft-SP800-131B.pdf
SP 800-131 A Jan. 2011 Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths
sp800-131A.pdf
SP 800-130 Apr. 13, 2012 DRAFT A Framework for Designing Cryptographic Key Management Systems
second-draft_sp-800-130_april-2012.pdf
SP 800-128 Aug. 2011 Guide for Security-Focused Configuration Management of Information Systems
sp800-128.pdf
SP 800-127 Sept. 2010 Guide to Securing WiMAX Wireless Communications
sp800-127.pdf
SP 800-126 Rev. 2 Sept. 2011 The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.2
SP800-126r2.pdf
sp800-126r2-errata-20120409.pdf
SP 800-126 Rev. 1 Feb. 2011 The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.1
SP800-126r1.pdf
SP 800-126 Nov. 2009 The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.0
sp800-126.pdf
SP 800-125 Jan. 2011 Guide to Security for Full Virtualization Technologies
SP800-125-final.pdf
SP 800-124 Oct 2008 Guidelines on Cell Phone and PDA Security
SP800-124.pdf
SP 800-123 Jul 2008 Guide to General Server Security
SP800-123.pdf
SP 800-122 Apr. 2010 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)
sp800-122.pdf
SP 800-121 Rev. 1 Sept. 27, 2011 DRAFT Guide to Bluetooth Security
Draft-SP800-121_Rev1.pdf
SP 800-121 Sept 2008 Guide to Bluetooth Security
SP800-121.pdf
SP 800-120 Sept. 2009 Recommendation for EAP Methods Used in Wireless Network Access Authentication
sp800-120.pdf
SP 800-119 Dec. 2010 Guidelines for the Secure Deployment of IPv6
sp800-119.pdf
SP 800-118 Apr. 21, 2009 DRAFT Guide to Enterprise Password Management
draft-sp800-118.pdf
SP 800-117 Rev. 1 Jan. 6, 2012 DRAFT Guide to Adopting and Using the Security Content Automation Protocol (SCAP) Version 1.2
Draft-SP800-117-r1.pdf
SP 800-117 July 2010 Guide to Adopting and Using the Security Content Automation Protocol (SCAP) Version 1.0
sp800-117.pdf
SP 800-116 Nov 2008 A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS)
SP800-116.pdf
SP 800-115 Sept 2008 Technical Guide to Information Security Testing and Assessment
SP800-115.pdf
SP 800-114 Nov 2007 User's Guide to Securing External Devices for Telework and Remote Access
SP800-114.pdf
SP 800-113 Jul 2008 Guide to SSL VPNs
SP800-113.pdf
SP 800-111 Nov 2007 Guide to Storage Encryption Technologies for End User Devices
SP800-111.pdf
SP 800-108 Oct. 2009 Recommendation for Key Derivation Using Pseudorandom Functions
sp800-108.pdf
SP 800-107 Revised Sept. 14, 2011 DRAFT Recommendation for Applications Using Approved Hash Algorithms
Draft_Revised_SP800-107.pdf
SP 800-107 Feb. 2009 Recommendation for Applications Using Approved Hash Algorithms
NIST-SP-800-107.pdf
SP 800-106 Feb. 2009 Randomized Hashing for Digital Signatures
NIST-SP-800-106.pdf
SP 800-104 Jun 2007 A Scheme for PIV Visual Card Topography
SP800-104-June29_2007-final.pdf
SP 800-103 Oct 6, 2006 DRAFT An Ontology of Identity Credentials, Part I: Background and Formulation
sp800-103-draft.pdf
SP 800-102 Sept. 2009 Recommendation for Digital Signature Timeliness
sp800-102.pdf
SP 800-101 May 2007 Guidelines on Cell Phone Forensics
SP800-101.pdf
SP 800-100 Oct 2006 Information Security Handbook: A Guide for Managers
SP800-100-Mar07-2007.pdf
SP 800-98 Apr 2007 Guidelines for Securing Radio Frequency Identification (RFID) Systems
SP800-98_RFID-2007.pdf
SP 800-97 Feb 2007 Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i
SP800-97.pdf
SP 800-96 Sep 2006 PIV Card to Reader Interoperability Guidelines
SP800-96-091106.pdf
SP 800-95 Aug 2007 Guide to Secure Web Services
SP800-95.pdf
SP 800-94 Feb 2007 Guide to Intrusion Detection and Prevention Systems (IDPS)
SP800-94.pdf
SP 800-92 Sep 2006 Guide to Computer Security Log Management
SP800-92.pdf
SP 800-90 A Jan. 2012 Recommendation for Random Number Generation Using Deterministic Random Bit Generators
SP800-90A.pdf
SP 800-89 Nov 2006 Recommendation for Obtaining Assurances for Digital Signature Applications
SP-800-89_November2006.pdf
SP 800-88 Sep 2006 Guidelines for Media Sanitization
NISTSP800-88_with-errata.pdf
SP 800-87 Rev 1 Apr 2008 Codes for Identification of Federal and Federally-Assisted Organizations
SP800-87_Rev1-April2008Final.pdf
SP 800-86 Aug 2006 Guide to Integrating Forensic Techniques into Incident Response
SP800-86.pdf
SP 800-85 B-1 Sept. 11, 2009 DRAFT PIV Data Model Conformance Test Guidelines
draft-sp800-85B-1.pdf
sp800-85B_Change_Summary.pdf
Comment-Template_sp800-85B-1.xls
SP 800-85 B Jul 2006 PIV Data Model Test Guidelines
SP800-85b-072406-final.pdf
SP 800-85 A-2 July 2010 PIV Card Application and Middleware Interface Test Guidelines (SP800-73-3 Compliance)
sp800-85A-2-final.pdf
SP 800-84 Sep 2006 Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities
SP800-84.pdf
SP 800-83 Nov 2005 Guide to Malware Incident Prevention and Handling
SP800-83.pdf
SP 800-82 Jun. 2011 Guide to Industrial Control Systems (ICS) Security
SP800-82-final.pdf
SP 800-81 Rev. 1 Apr. 2010 Secure Domain Name System (DNS) Deployment Guide
sp-800-81r1.pdf
SP 800-79 -1 Jun 2008 Guidelines for the Accreditation of Personal Identity Verification (PIV) Card Issuers (PCI's)
SP800-79-1.pdf
SP 800-78 -3 Dec. 2010 Cryptographic Algorithms and Key Sizes for Personal Identification Verification (PIV)
sp800-78-3.pdf
SP 800-77 Dec 2005 Guide to IPsec VPNs
sp800-77.pdf
SP 800-76 -2 Apr. 18, 2011 DRAFT Biometric Data Specification for Personal Identity Verification
Draft_SP800-76-2.pdf
comments-template-for_draft-sp800-76-2.doc
SP 800-76 -1 Jan 2007 Biometric Data Specification for Personal Identity Verification
SP800-76-1_012407.pdf
SP 800-73 -3 Feb. 2010 Interfaces for Personal Identity Verification (4 Parts)
Pt. 1- End Point PIV Card Application Namespace, Data Model & Representation
Pt. 2- PIV Card Application Card Command Interface
Pt. 3- PIV Client Application Programming Interface
Pt. 4- The PIV Transitional Interfaces & Data Model Specification
sp800-73-3_PART1_piv-card-applic-namespace-date-model-rep.pdf
sp800-73-3_PART2_piv-card-applic-card-common-interface.pdf
sp800-73-3_PART3_piv-client-applic-programming-interface.pdf
sp800-73-3_PART4_piv-transitional-interface-data-model-spec.pdf
SP 800-72 Nov 2004 Guidelines on PDA Forensics
sp800-72.pdf
SP 800-70 Rev. 2 Feb. 2011 National Checklist Program for IT Products: Guidelines for Checklist Users and Developers
SP800-70-rev2.pdf
SP 800-69 Sep 2006 Guidance for Securing Microsoft Windows XP Home Edition: A NIST Security Configuration Checklist
guidance_WinXP_Home.html
SP 800-68 Rev. 1 Oct. 2008 Guide to Securing Microsoft Windows XP Systems for IT Professionals
download_WinXP.html
SP 800-67 Rev. 1 Jan. 2012 Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher
SP-800-67-Rev1.pdf
SP 800-66 Rev 1 Oct 2008 An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule
SP-800-66-Revision1.pdf
SP 800-65 Rev. 1 July 14, 2009 DRAFT Recommendations for Integrating Information Security into the Capital Planning and Investment Control Process (CPIC)
draft-sp800-65rev1.pdf
SP 800-65 Jan 2005 Integrating IT Security into the Capital Planning and Investment Control Process
SP-800-65-Final.pdf
SP 800-64 Rev. 2 Oct 2008 Security Considerations in the System Development Life Cycle
SP800-64-Revision2.pdf
SP 800-63 Rev. 1 Dec. 2011 Electronic Authentication Guideline
SP-800-63-1.pdf
SP 800-63 Version 1.0.2 Apr 2006 Electronic Authentication Guideline
SP800-63V1_0_2.pdf
SP 800-61 Rev. 2 Jan. 31, 2012 DRAFT Computer Security Incident Handling Guide
draft-sp800-61rev2.pdf
SP 800-61 Rev. 1 Mar 2008 Computer Security Incident Handling Guide
SP800-61rev1.pdf
SP 800-60 Rev. 1 Aug 2008 Guide for Mapping Types of Information and Information Systems to Security Categories: (2 Volumes) - Volume 1: Guide Volume 2: Appendices
SP800-60_Vol1-Rev1.pdf
SP800-60_Vol2-Rev1.pdf
SP 800-59 Aug 2003 Guideline for Identifying an Information System as a National Security System
SP800-59.pdf
SP 800-58 Jan 2005 Security Considerations for Voice Over IP Systems
SP800-58-final.pdf
SP 800-57 Part 1 May 6, 2011 DRAFT Recommendation for Key Management: Part 1: General
Draft_SP800-57-Part1-Rev3_May2011.pdf
comments-received_draft-SP800-57-1.pdf
SP 800-57 Mar 2007 Recommendation for Key Management
sp800-57-Part1-revised2_Mar08-2007.pdf
SP800-57-Part2.pdf
sp800-57_PART3_key-management_Dec2009.pdf
SP 800-56 C Nov. 2011 Recommendation for Key Derivation through Extraction-then-Expansion
SP-800-56C.pdf
SP 800-56 B Aug. 2009 Recommendation for Pair-Wise Key Establishment Schemes Using Integer Factorization Cryptography
sp800-56B.pdf
SP 800-56 A Mar 2007 Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography
SP800-56A_Revision1_Mar08-2007.pdf
SP 800-55 Rev. 1 Jul 2008 Performance Measurement Guide for Information Security
SP800-55-rev1.pdf
SP 800-54 Jul 2007 Border Gateway Protocol Security
SP800-54.pdf
SP 800-53 Rev. 4 Feb. 28, 2012 DRAFT Security and Privacy Controls for Federal Information Systems and Organizations (Initial Public Draft)
sp800-53-rev4-ipd.pdf
sp800-53-rev4_appendix-D_markup.pdf
sp800-53-rev4_appendix-F_markup.pdf
sp800-53-rev4_appendix-G_markup.pdf
SP 800-53 Rev. 3 Aug 2009 Recommended Security Controls for Federal Information Systems and Organizations
(*Errata as of May 1, 2010*)
sp800-53-rev3-final_updated-errata_05-01-2010.pdf
sp-800-53-rev3_database-beta.html
800-53-rev3_markup-final-public-draft-to-final-updated_may-01-2010.pdf
800-53-rev3_markup-rev2-to-rev3_updated-may-01-2010.pdf
800-53-rev3-Annex1_updated_may-01-2010.pdf
800-53-rev3-Annex2_updated_may-01-2010.pdf
800-53-rev3-Annex3_updated_may-01-2010.pdf
SP_800-53_Rev-3_database-R1.4.1-BETA.zip
SP 800-53 A Rev. 1 Jun. 2010 Guide for Assessing the Security Controls in Federal Information Systems and Organizations, Building Effective Security Assessment Plans
sp800-53A-rev1-final.pdf
assessment.html
SP 800-52 Jun 2005 Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations
SP800-52.pdf
SP 800-51 Rev. 1 Feb. 2011 Guide to Using Vulnerability Naming Schemes
SP800-51rev1.pdf
SP 800-50 Oct 2003 Building an Information Technology Security Awareness and Training Program
NIST-SP800-50.pdf
SP 800-49 Nov 2002 Federal S/MIME V3 Client Profile
sp800-49.pdf
SP 800-48 Rev. 1 Jul 2008 Guide to Securing Legacy IEEE 802.11 Wireless Networks
SP800-48r1.pdf
SP 800-47 Aug 2002 Security Guide for Interconnecting Information Technology Systems
sp800-47.pdf
SP 800-46 Rev. 1 Jun. 2009 Guide to Enterprise Telework and Remote Access Security
sp800-46r1.pdf
SP 800-45 Version 2 Feb 2007 Guidelines on Electronic Mail Security
SP800-45v2.pdf
SP 800-44 Version 2 Sep 2007 Guidelines on Securing Public Web Servers
SP800-44v2.pdf
SP 800-43 Nov 2002 Systems Administration Guidance for Windows 2000 Professional System
guidance_W2Kpro.html
SP 800-41 Rev. 1 Sept. 2009 Guidelines on Firewalls and Firewall Policy
sp800-41-rev1.pdf
SP 800-40 Version 2.0 Nov 2005 Creating a Patch and Vulnerability Management Program
SP800-40v2.pdf
SP 800-39 Mar. 2011 Managing Information Security Risk: Organization, Mission, and Information System View
SP800-39-final.pdf
SP 800-38 F Aug. 11, 2011 DRAFT Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping
Draft-SP800-38F_Aug2011.pdf
SP 800-38 A Dec 2001 Recommendation for Block Cipher Modes of Operation - Methods and Techniques
sp800-38a.pdf
SP 800-38 A - Addendum Oct. 2010 Recommendation for Block Cipher Modes of Operation: Three Variants of Ciphertext Stealing for CBC Mode
addendum-to-nist_sp800-38A.pdf
SP 800-38 B May 2005 Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication
SP_800-38B.pdf
Updated_CMAC_Examples.pdf
SP 800-38 C May 2004 Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality
SP800-38C_updated-July20_2007.pdf
SP 800-38 D Nov 2007 Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC
SP-800-38D.pdf
SP 800-38 E Jan. 2010 Recommendation for Block Cipher Modes of Operation: The XTS-AES Mode for Confidentiality on Storage Devices
nist-sp-800-38E.pdf
SP 800-37 Rev. 1 Feb. 2010 Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach
sp800-37-rev1-final.pdf
sp800-37-rev1_markup-copy_final.pdf
SP 800-36 Oct 2003 Guide to Selecting Information Technology Security Products
NIST-SP800-36.pdf
SP 800-35 Oct 2003 Guide to Information Technology Security Services
NIST-SP800-35.pdf
SP 800-34 Rev. 1 May 2010 Contingency Planning Guide for Federal Information Systems (Errata Page - Nov. 11, 2010)
sp800-34-rev1_errata-Nov11-2010.pdf
SP 800-33 Dec 2001 Underlying Technical Models for Information Technology Security
sp800-33.pdf
SP 800-32 Feb 2001 Introduction to Public Key Technology and the Federal PKI Infrastructure
sp800-32.pdf
SP 800-30 Rev. 1 Sept. 19, 2011 DRAFT Guide for Conducting Risk Assessments
SP800-30-Rev1-ipd.pdf
SP 800-30 Jul 2002 Risk Management Guide for Information Technology Systems
sp800-30.pdf
SP 800-29 Jun 2001 A Comparison of the Security Requirements for Cryptographic Modules in FIPS 140-1 and FIPS 140-2
sp800-29.pdf
SP 800-28 Version 2 Mar 2008 Guidelines on Active Content and Mobile Code
SP800-28v2.pdf
SP 800-27 Rev. A Jun 2004 Engineering Principles for Information Technology Security (A Baseline for Achieving Security)
SP800-27-RevA.pdf
SP 800-25 Oct 2000 Federal Agency Use of Public Key Technology for Digital Signatures and Authentication
sp800-25.pdf
SP 800-24 Aug 2000 PBX Vulnerability Analysis: Finding Holes in Your PBX Before Someone Else Does
sp800-24pbx.pdf
SP 800-23 Aug 2000 Guidelines to Federal Organizations on Security Assurance and Acquisition/Use of Tested/Evaluated Products
sp800-23.pdf
SP 800-22 Rev. 1a Apr. 2010 A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications
SP800-22rev1a.pdf
SP 800-21 2nd edition Dec 2005 Guideline for Implementing Cryptography in the Federal Government
sp800-21-1_Dec2005.pdf
SP 800-20 Oct 1999 Modes of Operation Validation System for the Triple Data Encryption Algorithm (TMOVS): Requirements and Procedures
800-20.pdf
SP 800-19 Oct 1999 Mobile Agent Security
sp800-19.pdf
SP 800-18 Rev.1 Feb 2006 Guide for Developing Security Plans for Federal Information Systems
sp800-18-Rev1-final.pdf
SP 800-17 Feb 1998 Modes of Operation Validation System (MOVS): Requirements and Procedures
800-17.pdf
SP 800-16 Rev. 1 Mar. 20, 2009 DRAFT Information Security Training Requirements: A Role- and Performance-Based Model
Draft-SP800-16-Rev1.pdf
SP 800-16 Apr 1998 Information Technology Security Training Requirements: A Role- and Performance-Based Model
800-16.pdf
AppendixA-D.pdf
Appendix_E.pdf
SP 800-15 Version 1 Sep 1997 MISPC Minimum Interoperability Specification for PKI Components
SP800-15.PDF
SP 800-14 Sep 1996 Generally Accepted Principles and Practices for Securing Information Technology Systems
800-14.pdf
SP 800-13 Oct 1995 Telecommunications Security Guidelines for Telecommunications Management Network
sp800-13.pdf
SP 800-12 Oct 1995 An Introduction to Computer Security: The NIST Handbook
handbook.pdf
index.html

 

H.R. 4257, Federal Information Security Amendments Act of 2012

April 20, 2012

As ordered reported by the House Committee on Oversight and Government Reform on April 18, 2012

H.R. 4257 would amend the Federal Information Security Management Act of 2002 (FISMA) to improve the security of federal information technology systems. The legislation would require continuous monitoring of computer systems and provide the Office of Management and Budget (OMB) and federal agencies with specific new responsibilities to secure federal information systems.

Based on information from the Department of Homeland Security (DHS), the Office of Management and Budget (OMB), and other major agencies working to ensure the security of federal information systems, CBO estimates that implementing H.R. 4257 would cost $710 million over the 2013-2017 period, assuming appropriation of the necessary amounts. Most of those funds would be spent on salaries, expenses, and computer hardware and software. Enacting the bill would not affect direct spending or revenues; therefore, pay-as-you-go procedures do not apply.

H.R. 4257 contains no intergovernmental or private-sector mandates as defined in the Unfunded Mandates Reform Act (UMRA) and would impose no costs on state, local, or tribal governments.


House Declares Cybersecurity Week with Introduction of Four Cybersecurity Bills

Created by Rodney Petersen (EDUCAUSE) on April 24, 2012

The U.S. House of Representatives is introducting this week four pieces of legislation for votes. Below is a summary of each bill provided by House Speaker John Boehner:

Cyber Intelligence Sharing and Protection Act (H.R. 3523), introduced by Intelligence Committee Chairman Mike Rogers (R-MI), will help private sector job creators defend themselves from attacks from countries like China and Russia by allowing the government to provide the intelligence information needed to protect their networks and their customers’ privacy. The bill also provides positive authority to private-sector entities to defend their own networks and to those of their customers, and to share cyber threat information with others in the private sector, as well as with the federal government on a purely voluntary basis.

Federal Information Security Amendments (H.R. 4257), introduced by Oversight & Government Reform Committee Chairman Darrell Issa (R-CA), will enhance the Federal Information Security Management Act (FISMA) by improving the framework for securing information technology of federal government systems. It also establishes a mechanism for stronger oversight of information technology systems by focusing on “automated and continuous monitoring” of cybersecurity threats and regular “threat assessments and reaffirms the role of OMB with respect to FISMA, recognizing that the budgetary leverage of the Executive Office of the President is necessary to ensuring effective security over information technology systems.

Cybersecurity Enhancement Act (H.R. 2096), introduced by Rep. Mike McCaul (R-TX), will improve coordination of research and related activities conducted across the federal agencies to better address evolving cyber threats. The bill strengthens the efforts of the National Science Foundation (NSF) and the National Institute of Standards and Technology (NIST) in the areas of cybersecurity technical standards and cybersecurity awareness, education, and talent development.

Advancing America’s Networking and Information Technology Research and Development (NITRD) Act (H.R. 3834), introduced by Science, Space, and Technology Chairman Ralph Hall (R-TX), reauthorizes the NITRD program, which represents the federal government’s central R&D investment portfolio for unclassified networking, computing, software, cybersecurity, and related information technology and involves 15 member agencies. In the area of cybersecurity, the NITRD program focuses on R&D to detect, prevent, resist, respond to, and recover from actions that compromise or threaten to compromise the availability, integrity, or confidentiality of computer-and network-based systems.

These bills, collectively, promise to impact the various roles of higher education in significant ways, including the academic mission to educate the next generation of cybersecurity professionals, research and discovery of future solutions to our cybersecurity challenges, and the operations of campus computing networks that while not considered "critical infrastructure" are a key asset and important part of the overall Internet economy. EDUCAUSE will continue to monitor and report on these bills as they move through the House and will track similar actions in the Senate.

 

THIS IS THE WAY IT USED TO BE:  NO MORE NICE GUY

Fact Sheet 9:
Wiretapping and Eavesdropping on Telephone Calls

Copyright © 1993 - 2012
Privacy Rights Clearinghouse
Posted March 1993
Revised April 2012

  1. Introduction
  2. What can I do if I think my phone is tapped?
  3. Who can legally monitor phone conversations?
  4. Can digital telephone communications be monitored?
  5. Is it legal to tape record telephone calls?
  6. Are there products I can buy to find out if my phone is tapped?
  7. Are there other ways people may be listening to my conversations?
  8. What about pen registers and trap and trace devices?
  9. Who are the most common targets of electronic eavesdropping & wiretapping?
  10. Resources
  1. Introduction

    While relatively few legal wiretaps are authorized in the United States each year, improvements in technology have made it easier to illegally wiretap, record and eavesdrop on telephone conversations. People with sensitive jobs in business or government and those involved in high-stakes legal cases may have reason to be concerned about wiretapping and electronic eavesdropping.

    Wiretapping is any interception of a telephone transmission by accessing the telephone signal itself. Electronic eavesdropping is the use of an electronic transmitting or recording device to monitor conversations without the consent of the parties. Although many types of conversations may be subject to electronic eavesdropping, this fact sheet deals only with eavesdropping on telephone conversations.

    While this fact sheet deals only with wiretapping and eavesdropping on telephone conversations, wiretap laws are broader in scope. Federal wiretap laws applyto oral, wire, and electronic communications. However, the federal law does not currently regulate silent video communications, such as webcams or other video monitoring without an audio component. A well-publicized case involving a school laptop in Lower Merion, PA highlights this limitation. http://arstechnica.com/tech-policy/news/2010/03/school-laptop-spy-case-prompts-wiretap-act-rethink.ars.

    In 2010, there were 3194 criminal wiretaps authorized. The majority were for mobile phones or pagers in drug cases. Each tap lasted an average of 40 days. Information gathered from the wiretaps led to 4711 arrests and 800 convictions. These statistics do not include terrorism-related wiretaps or wiretaps conducted through the National Security Agency's warrantless wiretapping program. http://www.uscourts.gov/uscourts/Statistics/WiretapReports/2010/2010WireTapReport.pdf.

  2. What can I do if I think my phone is tapped?

    If you think your phone line is wiretapped, call your local phone company. Most phone companies will inspect your lines for wiretap devices free of charge. If a tap is found, the phone company will check to see if it is authorized. The phone company will alert you if the wiretap is illegal. It will also notify law enforcement and remove the device. However, you will not be notified if the wiretap is legal, made by law enforcement and authorized by a court. However, once a legal wiretap has been discontinued, the court must notify the tapped party that the wiretapping has taken place. Normally, this notice must occur within 90 days of the wiretap termination. (18 USC 2518(8)(d)).

    The government has been given narrowly confined authority to engage in electronic surveillance, conduct physical searches, install and use pen registers and trap and trace devices for law enforcement purposes under the Electronic Communications Privacy Act (18 U.S.C. 2510 et. seq.). Over the years, Congress has amended ECPA, sometimes in the interests of greater privacy and sometimes in the interest of more effective law enforcement or intelligence gathering.

    If you discover that someone has intentionally intercepted your private phone conversations, you may be able to take legal action. If you or the phone company find an illegal tap, you should notify local law enforcement officials. In addition, you may want to consult an attorney.

    It is a federal crime to wiretap without court approval, unless one of the parties has given their prior consent. It is likewise a federal crime to use or disclose any information acquired by illegal wiretapping. Violations can result in imprisonment for not more than five years; fines up to $250,000 (up to $500,000 for organizations); in civil liability for damages, attorneys’ fees and possibly punitive damages; in disciplinary action against any attorneys involved; and in suppression of any derivative evidence.

    Many people think if they hear noises on the phone line, like clicks, static or voices, that the line is tapped. Most wiretapping devices emit no audible sounds. If you hear others talking on your phone, you may simply be experiencing "crosstalk," a common phone problem. If you hear crosstalk or other sounds, call your local phone company's repair service and ask it to investigate the problem. Cordless telephones also may pick up others' conversations. This can happen if you and a neighbor have cordless phones which are tuned to the same channel. (See PRC fact sheet no. 2, "Wireless Communications: Cordless/Cellular Phones and Pagers.")

  3. Who can legally monitor phone conversations?

    Federal law enforcement officials may tap telephone lines only after showing "probable cause" of unlawful activity and obtaining a court order. This unlawful activity must involve certain specified violations. The court order must limit the surveillance to communications related to the unlawful activity and to a specific period of time, usually 30 days. (Electronic Communications Privacy Act, 18 USC 2516)

    Until recently, California wiretapping laws were much more restrictive, prohibiting all wiretaps without the consent of all parties to the conversation, except for investigations involving certain controlled substances violations (California Penal Code 629; 629.02; 631). However, as of January 1, 1996, the State Legislature amended this law to allow state law enforcement officials to obtain wiretaps in investigations involving murder, solicitation to commit murder, aggravated kidnapping, crimes involving bombings, and conspiracy to commit any of these offenses. This law is intended to bring California wiretapping law more in line with the federal law. (California Penal Code 629 et. seq.)

    Courts have held that the California law does not apply to wiretaps by federal agents authorized by a valid federal warrant. For example, federal agents may go to federal court and obtain a warrant to place a wiretap in California, even though state officials may be barred by state law from obtaining a wiretap under similar circumstances.

    Both federal and California law enforcement officials may eavesdrop on and record telephone conversations without a court order under the so-called "one party consent provision" (18 USC 2511(2)(s); California Penal Code 633). In other words, if state or federal authorities have the consent of one party to a conversation (such as a government informant), the conversation may be monitored. This provision applies only to eavesdropping by law enforcement officials.

    Telephone company employees may listen to your conversations when it is necessary to provide you with service, to inspect the telephone system, to monitor the quality of telephone service or to protect against service theft or harassment. Also, employers may monitor and even record their employees' phone conversations with few restrictions (18 USC 2511(2)(a); California Penal Code 631(b)). (See PRC fact sheet no. 7, "Employee Monitoring: Is There Privacy in the Workplace?")

  4. Can digital telephone communications be monitored?

    In 1994 Congress passed the Communications Assistance for Law Enforcement Act, also known as the Digital Telephony Act (18 USC 2510-2522). The Act's purpose is to provide law enforcement officials with assurance that they will be able to "tap" or have access to the content of any communications incorporating new digital technology. These digital transmissions include both voice communications transmitted in digital format as well as transmissions of text and data between computers using a modem.

    Traditionally, law enforcement agents accessed telephone communications by tapping the line and simply listening in on the conversation. However, digital communications services generally convert telephone conversations and other transmissions to a digital code that is impossible to "listen in" on. The Digital Telephony Act requires all telephone companies to make digital communications available to law enforcement officials in the same way that traditional voice transmissions are currently accessible.

    This law specifically states that it does not alter or expand the current ability of investigators to conduct a wiretap. It merely allows them to access digital communications in the same manner as voice communications once a legal wiretap has been authorized. Furthermore, telephone companies are not required to decrypt encrypted (i.e. scrambled) communications unless the telephone company itself provides the encryption service. Finally, the federal government must reimburse the telephone companies for many of the modifications necessary for compliance with the law.

    Users of Internet telephony services such as should note that most of these services are not subject to the provisions of the Digital Telephony Act. The Act contains an exemption for "information services" (i.e., the Internet), VoIP (voice over Internet protocol) services take many forms, from the peer-to-peer model used by Skype to others in which the path between the subscriber and the telephone central office is traditional telephony but Internet protocol (IP) communications are used throughout the remainder of the call's path. Most IP communications do not behave as telephone calls. Peer-to-peer VoIP systems use a centralized mechanism to provide the communicating parties with each other's IP addresses but rely on the Internet for actual communication. Thus, there is no central point at which a wiretap could be authorized.

  5. Is it legal to tape record telephone calls?

    The state and federal laws mentioned above deal primarily with wiretapping and eavesdropping by law enforcement officials. In addition to these laws, both the Federal Communications Commission (FCC) and the California Public Utilities Commission (CPUC) have acknowledged the importance of privacy in telephone conversations by placing additional restrictions on tape recording such conversations.

    California law does not allow tape recording of telephone calls unless all parties to the conversation consent (California Penal Code 632), or they are notified of the recording by a distinct "beep tone" warning (CPUC General Order 107-B(II)(A)(5)). However, tape recordings can legally be made if an individual or members of one's family are threatened with kidnapping, extortion, bribery or another felony involving violence. The person receiving the threats can make a tape recording without informing the other party. (California Penal Code 633.5)

    Federal law allows recording of phone calls and other electronic communications with the consent of at least one party to the call. A majority of the states and territories have adopted laws based on the federal standard. But 12 states, including California, require the consent of all parties to the call under most circumstances. These are are California, Connecticut, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire, Pennsylvania, and Washington. For a state-by-state guide to taping laws, including a discussion of federal law and references to caselaw, see the Reporters Committee for Freedom of the Press guide, www.rcfp.org/taping/. The National Conference of State Legislatures offers a comprehensive guide to Electronic Surveillance Laws.

    These laws and regulations often do not apply to law enforcement investigations, emergency situations or patently unlawful conversations. The FCC has acknowledged that these regulations are difficult to enforce, and violations are virtually impossible to detect. Consumers should not be lulled into a false sense of security that their call is private simply because there is no notice of recording.

    Furthermore, it is not always clear which law, state or federal, applies to specific situations. This depends on where the call originates, why the recording is being made and who places the call. To stay within the law, you may wish to refrain from taping calls you make, but be aware that in certain situations others may be recording your conversations with them.

    The California Supreme Court held in Kearney v. Salomon Smith Barney, Inc., 137 P.3d 914 (2006) that out-of-state businesses are prohibited from monitoring or recording their telephone calls with California residents, even if that conduct takes place in any of the states where only one party's consent is required to lawfully monitor or record a telephone call. Thus, California 's two-party consent law governs any calls between a company's location in a one-party consent state and customers located in California .

  6. Are there products I can buy to find out if my phone is tapped?

    No. Devices can be purchased which claim to detect phone taps. Let the buyer beware. Experts say there are no devices that can reliably detect any current wiretapping technology.

    To be successful, a "tap detector" must detect a change in the electrical characteristics of a telephone line, such as a voltage drop, or a change in the characteristics of signals that are transmitted over a telephone line. Most of the wiretapping techniques used today, whether authorized for law enforcement use or conducted illegally, do not produce changes in line or signal characteristics.

    "Tap detectors" may be able to detect someone "listening in" by picking up an extension phone, and may be able to detect someone cutting a telephone line. However, neither of these occurrences may be considered a "wiretap," strictly speaking, and neither of these occurrences is necessary in order for someone to connect a wiretap to your line. Those with experience in telephone technology advise consumers to disregard the claims of companies that sell "tap detectors.

  7. Are there other ways people may be listening to my conversations?

    Yes. The determined eavesdropper will find a variety of sophisticated electronic surveillance and listening devices on the market. Also, radio scanners are available which can monitor cordless and cellular phone conversations, baby monitors and home intercom systems, especially older devices that use analog technology rather than digital signals . (See PRC fact sheet no. 2, "Wireless Communications: Cordless/Cellular Phones and Pagers.") Long distance calls which travel by microwave or satellite links are also susceptible to monitoring.

  8. What about pen registers and trap and trace devices?

    Certain devices, when attached to a phone line, allow the numbers of incoming or outgoing calls to be recorded. A "pen register" is a device which records numbers dialed out on the telephone line to which it is attached. A "trap and trace device" records the numbers from which any incoming calls are dialed.

    According to federal and California law, a court order must be obtained before these devices may be attached to a phone line (18 USC 3121; 69 California Attorney General Opinion 55). However, telephone companies may use these devices without a court order to protect against theft or fraudulent use of the telephone service, or to protect customers from harassment.

    These devices may only be used to obtain the number of the calling party. Neither device is capable of recording the content of a conversation. The use or installation of pen registers or trap and trace devices by anyone other than the telephone company, service provider, or those acting under judicial authority is a federal crime, punishable by imprisonment for not more than a year and/or a fine of not more than $100,000 ($200,000 for an organization). There is no accompanying exclusionary rule, however, and consequently a violation of section 3121 will not serve as a basis to suppress any resulting evidence.

  9. Who are the most common targets of electronic eavesdropping & wiretapping?

    If you are in a position where others might benefit from listening to your conversations, you may be a target of electronic eavesdropping or wiretapping. For example, if other companies could experience financial gain from hearing details about your work, you run a higher risk of being wiretapped or "bugged." People involved in controversial political activities and high-stakes legal proceedings are also at risk of being the target of illegal monitoring and eavesdropping.

    If you believe your phone conversations are being illegally monitored, you may want to consult an attorney and/or a private investigator. Be sure to check for references and proper licenses. Get all fees and conditions in writing before acquiring the assistance of a legal or investigative service.

    Since the terrorist attacks of September 11, 2001, many states have passed laws that expand their wiretapping authority. A comprehensive listing of state laws is available in the Congressional Research Service Report "Privacy: An Overview of Federal Statutes Governing Wiretapping and Electronic Eavesdropping" (December 3, 2009) (http://assets.opencrs.com/rpts/98-326_20091203.pdf)at Appendices A-E.


  10. Resources:

    Reporters Committee for Freedom of the Press

    For a 50-state listing of taping consent laws, "A Practical Guide to Taping Conversations" visit
    www.rcfp.org/taping

    Congressional Research Service Report

    "Privacy: An Overview of Federal Statutes Governing Wiretapping and Electronic Eavesdropping" (December 3, 2009)


STICKS STONES AND DANGEROUS WORDS: WES PRUDEN

By on May 29th, 2012

http://www.prudenpolitics.com/newsletter?utm_source=P&utm_medium=email&utm_campaign=3672&P+Auto+1=

The scholars and wordsmiths at the Department of Homeland Security leave everyone who aspires to good citizenship perfectly speechless.

Some of the wordsmiths put together a manual for agents who track the Internet, looking for evil-doers and those who aspire to evil-doing. These agents are assigned to pick up suspicious words for further investigation. Some of the worst of the evil-doers have been caught after their schemes, plots and intrigues were detected in e-mails intercepted by agents of the Department of Homeland Security.

Long lists of words the innocent should never use were acquired by the Electronic Privacy Information Center, a privacy watchdog group that obtained the lists through a request for documents under the Freedom of Information Act. It’s clear that federal agents who conduct Internet searches for offending words can succeed only if they have a lot of time on their hands.

Some of the words, like “attack” or “terrorism” or “dirty bomb,” are so obvious that a cave man could detect them. Others, like the words cops, police, riot, emergency landing, powder (white), swine, pork and ‘flu, do not seem so obviously dangerous. Your Aunt Evelyn in West Gondola, scribbling an affectionate note at the bottom of a birthday card, could invite federal scrutiny without intending to harm anyone.

Other words suspicious to the feds include:

 

 airplane,
subway,
Port Authority,
grid,
power,
electric,
port,
 dock,
 bridge,
delays,
cocaine,
 marijuana,
 border,
Mexico,
kidnap
bust,
 Iraq,
Iran,
nuclear,
tornado,
tsunami,
 storm,
forest fire,
 ice,
 snow,
sleet,
 Cain,
Abel,
 China,
 worm,
 anthrax,
cloud,
North Korea,
and “
lightening,” presumably meaning “lightning.”

 

The suspicious words are included in something called the Analyst’s Desktop Binder, used by agents at the National Operations Center to identify “media reports that reflect adversely on [Department of Homeland Security] and response activities.”

The existence of the verboten list emerged from the bowels of bureaucracy only after a hearing before a House subcommittee looking into how analysts monitor newspapers, magazines, Internet sites and social networks. They’re looking for “comments that ‘reflect adversely’ on the government.

This covers a lot of ground, sinful, criminal, harmless and otherwise, but the Department of Homeland Security reassures one and all that it is not looking for disparaging remarks about the Obama administration, the government or the bureaucrats who work for the government. They’re not looking for signs of “general dissent.” Of course not. Who would suspect the government of poking its nose into the business of private citizens? Would Janet Napolitano, the secretary of homeland security, do that?

The government can nevertheless be dull and dim-witted. An investigator for one of the many government security agencies, a young man with the requisite 1950s haircut and polite manner, one day called to ask whether I would vouch for the character of a young man, just out of Harvard Law, who had applied for a position with a Senate committee. I knew him to be exactly what the government should be looking for, Harvard trained or not, and said so.

“Well,” the agent replied, “we have information that he lived abroad for several years. Do you know why?”

I looked at the dates he had indeed lived abroad, in a large European capital famous for its spies, furtive nocturnal liaisons and dark diplomatic intrigues. “Yes,” I said, “that is roughly the time his father was the American ambassador there, and the young man would have been between 2 and 6 years old.”

The agent was not persuaded. “Still, that is a long time to live abroad. He may have had a good reason to spend so much uninterrupted time in a foreign capital, but we would like to know why.” The young was finally cleared for duty several months later, the stain on his baby character overlooked.

The watchdog group that obtained the list of suspicious words complained to the House subcommittee on counter-terrorism and intelligence that the Homeland Security list is “broad, vague and ambiguous,” and includes “vast amounts of First Amendment-protected speech that is entirely unrelated to the Department of Homeland Security mission to protect the public against terrorism and disasters.”

The bureaucrats trying to keep the homeland secure, even at the cost of damage to the First Amendment, now concede that its language is vague and should be “updated.” In the hands of normal speakers of English, the lists can be harmless enough, but computers are only as smart as whoever is punching the keyboard. That’s not always very smart. The hands of government agents are heavy on all of us. That’s why watchdogs need teeth.

Wesley Pruden is editor emeritus of The Washington Times.

Categorized under: Main.
Tagged with: no tags.
more to come when the senate takes it up