OK, since everybody seems to think that FISMA is some evil thing that needs reform, this is the version of events on “Planet Rybolov”:
Goals to surviving FISMA, based on all the criticisms I’ve read:
- Reduce paperwork requirements. Yes, some is needed. Most is not.
- Reduce cost. There is much repetition in what we’re doing now, it borders on fraud, waste, and abuse.
- Increase technical effectiveness. IE, get from the procedural and managerial tasks and get down into the technical parts of security.
“Uphold our Values-Based Compliance Culture photo by kafka4prez.
So now, how do you keep from letting FISMA cripple you or turn into death-by-compliance:
- Prioritize. 25% of your controls need to not fail 100% of the time. These are the ones that you test in-depth and more frequently. Honestly, how often does your risk assessment policy get updated v/s your patch management? Believe it or not, this is in SP 800-53R3 if you interpret it in the correct context. More importantly, do not let your auditors dictate your priorities.
- Use common controls and shared infrastructure. Explicitly tell your system owners and ISSOs what you are providing as the agency CISO and/or the GSS that they are riding on. As much as I hate meetings, if you own a General Support System (GSS), infrastructure (LAN/WAN, AD Forest, etc), or common controls (agency-wide policy, budget, Security Operations Center, etc), you have a fiduciary, legal, and moral obligation to get together with your constituency (the people who rely on the security you provide) and explain what it is you provide and allow them to tell you what additional support they need.
- Share Assessment Results. I’m talking about results from service providers with other agencies and systems. We’re overtesting on the high-level stuff that doesn’t change and not on the detailed stuff that does change. This is the nature of security assessments in that you start at the top and work your way down into the details, only most assessments don’t get down into the details because they’re busy reworking the top-level stuff over and over again. Many years ago as a contractor managing infrastructure that multiple agencies used, it was unbelievably hard to get one agency to allow me to share security documents and assessment results with other agencies. Shared assessment results mean that you can cut through the repetitious nature of what you’re doing and progressively get deeper into the technical, frequently-changing security aspects.
- Simplify the Paperwork. Yes, you still need to document what you’re doing, but the days of free-text prose and being graded on grammar and punctuation need to be over. Do the controls section of System Security Plans as a Requirement Traceability Matrix. More important than that, you need to go by-control by-component. If you are hiring contractors and their job is to do copypasta directly from NIST documents and change the pronouns and tenses, you’re doing it wrong. Don’t stand for that in your security policy or anything else that you do.
- Automate Wherever Possible. Note that the controls that change frequently and that need to not fail usually fit into this group. It’s one of those “Things that make Rybolov go ‘Hmmmm'”. Technology and automation provide both the problem and the solution. Also see my first point up above.
- Fire 50% of Your Security Staff. Yes, I’m serious. Those people you didn’t need anyway, primarily because they’re violating all the points I’ve made so far. More importantly, 25 clueless people can mess things up faster than 5 clueful people can fix them, and that’s a problem for me. Note that this does not apply to @csoandy, his headcount is A-OK.
The incredible thing to me is that this stuff is already there. NIST writes “hooks” into their Special Publications to allow the smart people the room to do all these things.
And now the part where I hop up on my soapbox: reforming FISMA by new legislation will not make any achievements above and beyond what we have today (with the exception of creating a CISO-esque position for the Exective Branch) because of the nature of audit and compliance. In a public policy sense, the more items you have in legislation, the more the audit burden increases and the amount of repetition increases, and the amount of nonsense controls (ie, AntiVirus for Linux servers) increases. Be careful what you ask for, you just might get it.
Posted in FISMA, NIST, Rants, Risk Management, What Doesn't Work, What Works | 2 Comments »
Tags: 800-53 • 800-53A • accreditation • auditor • C&A • cashcows • catalogofcontrols • certification • compliance • fisma • FUD • gao • government • infosec • infosharing • management • moneymoneymoney • NIST • omb • pwnage • risk • security