Cage Match: OMB Report V/S GAO Report, Only One Comes Out Alive

Posted March 17th, 2008 by

Heh, sensationalist title, but you get the point.  There are two worlds out there contained in two reports that came out last week.  And yet, they seem to contradict each other.

Let’s see our combatants, shall we:

In this corner we have GAO.  GAO issued THEIR report as a prepared testimony to Congress.  They’ve delivered it numerous times to various committees, and I dare say that Mr Wilshusen is getting some milage with this report.  Basic summary:  numbers are getting better, but 21 out of 24 agencies do not have a complete information security program.

And in this corner we have OMB.  OMB issued THEIR report as a formal report to Congress.  This is a one-shot annual deal, although afterwords there is bound to be some hearings on it.  Basic summary:  we’re doing pretty well and we’re working to police up the odds and ends even more efficiently.

Now keep in mind these two simple facts:  GAO works for Congress (Legislative Branch), OMB works for the President (Executive Branch).  This is critical to remember, so file it away.

The funniest thing for me as an outside observer to look at is that if you look at the numbers that they report, they’re identical.  A view behind the inner workings of the government:  both groups are working off exactly the same sets of data.

In preparing for this testimony, GAO analyzed agency, IG, Office of Management and Budget (OMB), and GAO reports on information security and reviewed OMB FISMA reporting instructions, information technology security guidance, and information on reported security incidents.   –GAO Report

In other words, GAO used exactly what was reported to OMB but came up with different conclusions.  Some of that is to be expected, it’s the same doers v/s the auditors conflict that’s been going on since the beginning of time, but wow, there is a huge disparity here that we need to account for.

I didn’t catch this with the GAO report, but I noticed it with the OMB report:  229 systems are not categorized, but 94% of these are certified and accredited.  Say what?  How can you tell if the security controls are implemented and the residual risk of the system is at an acceptable level when you have not determined what protection needs you have, much less your requirements?  This is akin to saying that a piece of software has passed through user acceptance testing when the user population doesn’t know what their needs or requirements are.  Now occasionally you don’t know how to classify a system because it breaks our model:  a low-criticality network that serves as the backbone for one highly-critical application, a legacy application that it’s just not worth it to classify because we’re in the process of decommissioning it, etc.

Now as much as I want to stand up and tell you that the agencies have been doing outstanding C&As, I just don’t believe the IGs whey they say that some of them have “satisfactory” C&A processes.  Maybe I’m just a little bit cynical, but that’s the way I call it.  I know some of these agencies, no way would I say “satisfactory” for some of them.

Now as far as the contradicting reports, let’s do a hasty analysis of the current political situation in DC, shall we?  The Executive Branch is controlled by the Republicans (and has been for 7 years), the Legislative Branch is controlled by the Democrats (for only a year), and oh yeah, it’s an election year.  You would expect the Congress-owned GAO to sing songs of woe and the President-controlled OMB to sing songs of praise.

And that, dear readers, is the difference between the two reports.

So in the end of all this, which report is the one true report because the other one is full of lies, damn lies, and statistics?  Well, they’re both just as accurate (they came from the same source data, remember), only from different angles.

The cynic/BSOFH in me says that you need to pull out the OMB report most of the time, especially when it’s time for your annual review, and pull out the GAO report when you need to justify your IT security budget.  But no, none of the CISOs or CIOs I know in the government would do that, would they?   =)



Similar Posts:

Posted in BSOFH, FISMA | 5 Comments »

5 Responses

  1.  Vlad the Impaler Says:
    March 17th, 2008 at 12:31 pm

    Errr…. Yeah.

    What’s your point? That’s the only purpose for these things — money, money, hate, hate, politics-of-hate.

    VTI

  2.  System Advancements at the Monastery » Blog Archive » FISMA: Paperwork Or Actual Security? Says:
    March 17th, 2008 at 3:06 pm

    […] Risk Services organization of Deloitte & Touche LLP, writes in his posting titled, “Cage Match: OMB Report V/S GAO Report, Only One Comes Out Alive:” GAO used exactly what was reported to OMB but came up with different conclusions. Some of […]

  3.  Security at GLORIAD » Blog Archive » FISMA: Paperwork Or Actual Security? Says:
    March 17th, 2008 at 4:20 pm

    […] Risk Services organization of Deloitte & Touche LLP, writes in his posting titled, “Cage Match: OMB Report V/S GAO Report, Only One Comes Out Alive:” GAO used exactly what was reported to OMB but came up with different conclusions. Some of […]

  4.  FISMA Report Cards Issued–Response is Rote by Now | The Guerilla CISO Says:
    May 21st, 2008 at 11:36 am

    […] people, so it’s nothing to get all hot and bothered about.  The GAO and OMB reports that I’ve covered in much detail are much better and have a pretty decent level of […]

  5.  System Advancements at the Monastery » Blog Archive » The New Cyber Security Plan: What Role Will DHS Play? Says:
    September 17th, 2008 at 3:33 pm

    […] Laura Keehner, DHS Press Secretary, stated. Michael Smith in his must read post, “Cage Match: OMB Report V/S GAO Report, Only One Comes Out Alive,” provides some great insight into the different perspectives and motives government agencies […]

Leave a Comment

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.


Visitor Geolocationing Widget: