Reading Between the Letters G, A, and O

Posted February 20th, 2008 by

OK, so the Government Accountability and Office delivered their testimony to Congress on the Government’s dismal state of security.  You can get the testimony here and check out some responses here and here.

My favorite 2 quotes: 

“Federal agencies continue to report progress in implementing key information security activities. The President’s proposed fiscal year 2009 budget for IT states that the federal government continues to improve information security performance relative to the certification and accreditation of systems and the testing of security controls and contingency plans.”

Followed by:

“An underlying cause for these weaknesses is that agencies have not fully or effectively implemented agencywide information security programs.”

Maybe I’m a bear of very little brain, but these sound like GAO is  contradicting itself.  How can things be getting better when they don’t exist?  Truth be told, from a government-wide view, you have to rely on metrics to give you a picture of how things are going, but at the end of the day, they’re still just that, indicators.  Of course, I haven’t worked with all 24 agencies, so maybe my worldview is pretty myopic.

Now, I don’t know about all of you, but I have yet to see an infosec program where there actually was excessive resources to get the job done.  As a result, in the sane world we have to prioritize:  is it worth my time and money to implement a better automated vulnerability scanning tool or mandatory drug testing for IT staff?

But here’s the rub:  in a compliancy-driven information security model, there is no way to priotitize what you need to get done.  It all bears the same weight.  In the world of GAO, if you can not prove that a control exists, you have not implemented a security program.

We’ve talked metrics before, and this has always been one of my problems with the way the Government is doing FISMA reporting right now:  if your metrics are not actionable–that is, you do not use the results to make changes–all you are doing is security management through shame.

Now the things that are happening, I see this is some fairly good analysis of the numbers behind the numbers behind the numbers and what we’re going to see over the next couple of years:

  • The Information Systems Security Line of Business:  I think this is a good thing, but it has some issues that the Government needs to resolve before it becomes more than just a pet project.

  • Federal Desktop Core Configuration:  Fantastic idea, but the implementation is harder than OMB thinks it will be–you can’t just shake the magic FISMA wand at your LAN and think that the legacy applications will still work.  Now for those of you who think FDCC is just the end, wait for the Router Core Configuration and Server Core Configuration.

  • SmartBUY:  Centralized COTS buying.  This is pretty happy, although it’s tangentially related to security, it’s more of an overall IT management strategy.

  • Trusted Internet Connections initiative:  I like this, I really do, but implementation is a bear.

  • Clarify requirements for testing and evaluating security controls:  Auditors need to say this:  “We could have done a better auditing job but the standard was lacking”.  Yes, the standards for gathering metrics suck, but they’re getting better as we go.  My opinion is that in order to evaluate security controls, you need to have a definitive set of security controls in the first place, but if you’re doing that, you’re looking at compliance and “audit risk” not mission risk and risk to IT investments.

  • Enhance FISMA reporting requirements:  The standardes have been evolving for 5 years and will continue to evolve.  So far we’ve been gathering metrics for the sake of gathering them, now it’s time to figure out specifically what we want to know and tailor the metrics to that question.

  • Consider conducting FISMA-mandated annual independent evaluations in accordance with audit standards or a common approach and framework:  Um, I thought we already had this.  Maybe I’m just slow-thinking today.

So, the Guerilla CISO’s takeaways from this conversation:

  • If you look at the metrics and see that they are improving, what more do you want?
  • Government needs to learn how to prioritize.  Their metrics should support this goal.
  • It’s the job of an auditor to always find something and to always CYA by spreading stories of woe and gloom.  Anticipate that this will happen and don’t be outraged when it does.

Similar Posts:

Posted in FISMA, Rants, What Doesn't Work | 1 Comment »

One Response

  1.  The Guerilla CISO » Blog Archive » More GAO Testimony Says:

    […] has delivered an updated version of the testimony from February 14th that I talked about here. I’m not going to rehash what I’ve already said, but I want to focus your attention on […]

Leave a Comment

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.

Visitor Geolocationing Widget: