FISMA Report Cards Issued–Response is Rote by Now

Posted May 21st, 2008 by

Yay, FISMA report card for 2007 has been issued.  You can go check it out here.  I can’t believe it, but DHS scored a “B” against all odds. =)

And of course, by now the response to the report card is all rote–everybody wonders what the letters really mean:

Yeah, yeah, I guess it just goes to prove what we say about the classified world: the people who know don’t talk and the people who talk don’t know.  In this case, everybody attacks the metric because, well, it’s a bad metric–what action are we supposed to take because of what the results are?  It’s also pretty much ignored by this point anyway except for the witty sound bites from some of my “favorite people”, so it’s nothing to get all hot and bothered about.  The GAO and OMB reports that I’ve covered in much detail are much better and have a pretty decent level of analysis.

But fer chrissakes, the report card is issued by Congress, how much detail do you think it will ever contain?  =)

My rapidly expanding queue of pet peeves about this time of the year:

  • People who think that FISMA is just a report card and that we should re-examine how we measure security:  the grades are not even required by the law, it’s just technique and we can change that easily enough.
  • People who criticize but do not offer an alternative:  even if you had an alternative plan, the environment for execution still involves the same IT assets and the same front-line employees.
  • People who don’t understand enterprise-wide security much less a federation of semi-independent enterprises: it’s the nature of government-wide security metrics that they’ll be indicators which can be faked.
  • Sound bites from people who have never implemented any aspect of FISMA:  come on, SANS and Gartner?  GAO and the Cyber Security Industry Alliance are a little bit better but taken out of context.
  • Nobody ever asks me for a quote on FISMA numminess:  I’ll be pouting for the rest of the week, TYVM.  =)

Not that I’m the world’s best expert at fact-checking, but something caught my eye in the report:  it’s issued by Tom Davis and the url is from the Minority Office for the House Committee on Oversight and Government Reform.  Tom Davis is the representative from Northern Virginia and is the sponsor for FISMA back when it was signed.  Until the last election, he was the chairman of the House Committee on Oversight and Government Reform.  The committee is now chaired by Henry Waxman

Time for a new concept in your vocabulary:  LGOPP (OK, actually it’s LGOP, but I added an extra “P” for comedy purposes).  Imagine June 6th, 1944, paratroopers scattered all over the French countryside.  What happens is you pick up the people around you, the senior person becomes the leader, and you carry out the mission.

Paratrooper Stained Glass Window

Photo of Paratrooper Stained Glass in Sainte Mère Église by Nelson Minar

Hence the true meaning of LGOPP: Little Groups of P*ssed-off Paratroopers.  An equivalent phrase is “isolated pockets of brilliance”.

In the words of somebody I went off to war with:  “LGOPPS are the spirit of the infantry:  a handfull of 18- and 19-year-olds with fully automatic weapons who can barely remember what their mission is running around the woods raising hell”.

Now, I know you guys, you’re wondering what this has to do with security?  Well, this is relevant because it’s an election year.  What that means is that instead of being bothered with all this security stuff, Congress is involved in playing “gotcha” with the Executive branch.  After the election, it’s rearranging deck chairs on the Titanic and all of the leadership will change.

Instead of any national-level security agendas and strategizing, we’ll have to be content with security LGOPPs fighting the fight wherever they end up gaining enough critical mass.

And in the case of this year’s FISMA report card, the LGOPP that is Tom Davis’s staffers issued the report while the rest of the committee was busy worrying about elections.

Similar Posts:

Posted in FISMA | 5 Comments »

5 Responses

  1.  flyingpenguin » Blog Archives » Guerrila CISO on FISMA Says:

    […] Guerilla CISO blog has some amusing points posted about the dismal (nine Fs) 2007 FISMA report: I can’t believe […]

  2.  M H Says:

    I don’t suppose they post grades at the agency (rather than department) level, do they? While I don’t mind moving from an ‘F’-rated organization to another ‘F’, I’d like to know if maybe, more specifically, I’ve moved to an ‘F+’ or something.

  3.  Dan Philpott Says:

    If you want to be asked to dance you should sign the dance card.

  4.  Darren Couch Says:

    I am thinking you were the one who made said quote about LGOPP’s… =)

  5.  rybolov Says:

    Hi MH

    Sadly, they don’t go down to the agency level. But then again, it’s all about the people there, so if you have a couple key personnel changes (Pat Howard leaving HUD for NRC), then the grade isn’t going to tell you that much. Just like the private sector, it’s having contacts and professional networking.

Leave a Comment

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.

Visitor Geolocationing Widget: