The Vendors are Already Jumping on the 07-11 Bandwagon

Posted May 21st, 2007 by

Two months ago, OMB released Memorandum 07-11 which established the authority for government-wide hardening standards for Windows products. It’s a very good thing in my opinion.

However, I’m beginning to see the start of the side effects. I have vendors already that are beating down my door trying to sell me compliance solutions that will help me meet this “oh-so-very-important standard”. I think they missed the other things I’ve had to say about compliance. The one worry that I have is that people will hit their systems with whatever technical policy compliance tool and think that they don’t have to do anything else. I think really that’s the one big problem I have with this entire class of products–they present themselves as the cure-all for all the security problems that an organization could have.

Knowing the people from NIST, it’s the classic problem that they have: They issue guidance and people blindly follow it even though it’s contradictory and not smart security. The best part is when people offer “NIST-Compliant” solutions (I take that out of our marketing material whenever I find it and then take the time to educate people on why it’s wrong) which are at best, “Our interpretation of the guidelines with numerous assumptions” and think that this is all that an organization should do security-wise. Well, the catch is that NIST, compliance frameworks, and vendors can’t anticipate every situation, so at the most what they’re offering is a 75% solution. If you go back to both NIST and OMB, they will tell you to make a decision based on a cost-benefit-risk comparison.

My friend Art Chantker from The Potomac Forum has an executive breakfast on the 24th with a good host of speakers–OMB, NIST, MicroSoft, and US Air Force. I’ll be there, just for the simple fact that I can refute claims later when somebody offers me yet another compliance solution. =)

This whole unified standard business was started by the US Air Force who very simply decreed that you wouldn’t connect a windows system to the network until it met the technical standards. Hmmm, wonder where they got the idea for a technical standard? This isn’t new, DoD has been doing it for years. I guess finally the clueful people got together and decided to make the migration to Vista a chance to get STIGs implemented in the civilian agencies.



Similar Posts:

Posted in FISMA, NIST, Rants, Technical | 3 Comments »

3 Responses

  1.  halon73 Says:
    May 25th, 2007 at 12:52 pm

    I hate the word compliance. To me it is just a way to check a box! I really wish that the Fed would consider the aftershocks of the directives and legislation that they put out into the world. We are fighting to shift the paradigm to risk management and they keep putting out guidance that fuels the tooling folks up for another tool to prove how you are “compliant”.

    So how are we ever expected to ever get off the hamster wheel of pain and take it to the next level?

  2.  rybolov Says:
    May 25th, 2007 at 1:30 pm

    It takes education and getting the common sense risk management idea out there.

    http://www.guerilla-ciso.com/archives/106

  3.  Graydon McKee Says:
    June 15th, 2007 at 12:16 pm

    Okay this may be shamless self promotion but check-out an article on NetworkWorld by Joe Faraone and I.

    http://www.networkworld.com/newsletters/sec/2006/0320sec1.html

Leave a Comment

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.


Visitor Geolocationing Widget: