FISMA: Better if PCI. WTF?

Posted March 31st, 2008 by

That’s why it’s time to reassess what FISMA should measure.  One model worth considering: the audit guide used by the payment card industry.”

Wow, just wow.  I didn’t know what to say for a couple of minutes…

But here goes.

Guys, seriously, the only time that FISMA gets any airtime at all is this time of the year, when all the reports come out.  The rest of the time, nobody cares unless they’re the CISO’s staff in an agency or they’re trying to pitch a product or service to the government.  Yes, I resemble both of those.

Of course, by now the responses to the annual FISMA reports are getting rote:

  • A couple newspaper articles about security in the government sucks.
  • Some blog posts about how since the government can’t get their act together, they shouldn’t tell the rest of us what to do.
  • GAO and OMB testify in front of congress about what the numbers mean.
  • Recursive commentary about how the numbers mean that collecting the numbers is worthless.
  • A formal statement from SANS about how FISMA is failing.
  • Some techno-geeks chiming in that if only the government would do this one thing that they’re a specialist in, that all of their security problems would go away.
  • A plethora of people misunderstand what “that FISMA thing” is, thinking that it’s some report card.
  • Everybody forgets about it all until next year.

Even I’m part of that, being a contractor and all who sells security services.

So where am I headed with all this?  Well, just to point out that there are a ton of people out there who get to play armchair quarterback every March about FISMA and security in the government as a whole.  It’s fun, but we’ll forget about it as soon as it’s tax time.

Similar Posts:

Posted in FISMA, Rants | 3 Comments »

3 Responses

  1.  mini-me Says:

    Hey, look on the bright side. If Hillary gets elected she wants to cut 500,000 government contractors. So if you align FISMA closer to PCI, if everyone gets laid off by Hillary you have now cross trained yourself into your new role as PCI consultant! It’s a win-win situation

  2.  halon73 Says:

    I must say that when I read the GCN editorial my jaw dropped. I mean, HS, that last thing we need is PCI. I’ve heard that is even more of a joke from folks I know in the banking Industry. A huge scam I think is what they said. Denver is a big area for financial processing companies and the folks I’ve met all hate PCI as a big paper drill and the fees! The fees that are charged are next to extortion.

    A wise man, the guy who wrote this blog, once told me that no one, and he means no one, operates a information processing system the size and complexity that the federal government runs on a daily basis. The IT systems that operate day in and out by the US Government would dwarf many european countries many times over.

    Is FISMA broken? You bet! Is there a better way, sure! But sadly just like many things inside the beltway this activity has become an institution simply because of fear. The govies hate and fear FISMA becuase they are rated on it for performance reasons. But the contractors, the ones without integrity, (yes there are good contractors and bad ones) love it becuase they can come in with boilerplate documents and check box a C&A for an agency with cheap technical writers and make a killing.

    The real problems are within FISMA as the law is a good law. But it is only a law and one that most, even those who profess to be security pro’s, haven’t read. The problem is with GSA and the people that are allowed to manage IT in the government.

    When you combine fear and ignorance you get the results you see in the federal IT space. People who are ignorant are even more likely to be fearful out of simple panic attacks from feeling paralyzed from their own stupidity.

    The GSA and the mangers in Agencies should be held to account for placing people in jobs they should never have been alowed to even interview for. But the GSA allows government employees to get jobs at their grade and with a well word smithed resume slide into any position they like.

    Counting COBAL programming 25 years ago as “IT” experience that qaulifies you to be a CISO is a joke unto itself. Sadly that is just the case because the people in the GSA who review the qauls don’t have a clue to what they are looking at.

    Just as President Bill Clinton got that “its the economy stupid” I say that “its the people stupid” that are the real problem.

    If we had COTRs, GS Managers, and ISSMs that understood a cost based risk managed approach to information security it would be a whole new FISMA world. 😉

    But the reality inside the beltway is that we have thousands of technical writers putting down that they are “Information Assurance Analysts”
    floating from one C&A contract to another with boiler plate templates and filling in check boxes.

    The fear that paralyzes GS’rs into submission doesn’t stop in the lower ranks. The CIOs and IOGs have failed their sworn duty to do the work and use the processes outlined by NIST to do due diligence and make sure the ATOs they are signing are actually legitimate and not well crafted cr@p.

    But to question would mean to slow the process down and all that matters is the 4 binders of paper sitting on someone’s desk that show that the person actually did something that year.

    Life inside the beltway is about survival and managing fear from day to day. Weeks can go by before a GS’r would do something productive and heaven forbid that anyone make a command decision for fear that they would have to be held to account for that call.

    So don’t lay blame on the law. Like I said it’s a good law but with no good people to make it work. Politicians seeking the office of the President talk of changing Washington and I laugh until I pass out. The only way to change Washington is to take the people out of the beltway and scatter them across the United States.

    1) They would have to work to communicate.
    2) You’d break up the 3 hour lunch breaks
    3) Break up a culture of indifference and idiocracy.
    4) Make DC relevant outside the beltway. (I literally had a command unit tell me “Who are you and why should I care?”)
    5) having 90% of the command and control infrastructure/people within a 30 mile radius of the capitol building is insane. They had the right idea in the Cold War!!!!! Put freaking bases everywhere so that one well placed nuke wouldn’t wipe out the whole freaking Military.

    This really comes back to the story of the “Tower of Babble” where at the end of the story all the people are scattered across the earth speaking different languages.

    It is insane that we can’t leverage the very IT assets we protect to perform an exorcism and remove the demons from DC. It was never the intention of the founding fathers to have a natioanl capital built in such a way that all the power resided in one place. Power was to be balanced between the states and the federal government. But today DC is the gravitational black hole of the free world and here I sit on the event horizon grateful to have made it this far out and survived.

    Well that is my rant! BTW they want to move my job back to DC! FRACKERS!

  3.  rybolov Says:

    So Mr Halon, how do you really feel about it? =)

    Seriously, though, I’m not able to draw a connection between GSA and the rest of what you’re talking about.

    The thing you have to keep in the back of your mind is that the Government is filled with people, and people come in all sorts of varieties.

    Hang in there, it gets better.

Leave a Comment

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.

Visitor Geolocationing Widget: