Feeds

•  Posts RSS
•  Comments RSS
• Subscribe via Email

Phone-Readable

Recent Comments

• Darren Couch on DHS is Looking for a CISO
• MMO Tag on Training for the Zombie Pandemic
• Sam Bowne on The Rise of the Slow Denial of Service
• jg on Apache Killer Effects on Target
• Apache Killer Effects on Target | The Guerilla CISO on The Rise of the Slow Denial of Service

What’s Hot

Tags

Categories

• Army (24)
• BSOFH (15)
• Cyberwar (7)
• DDoS (7)
• Diary of a Startup (3)
• DISA (9)
• FISMA (148)
• Flyfish (20)
• Hack the Planet (28)
• IKANHAZFIZMA (79)
• ISM-Community (15)
• NIST (93)
• Odds-n-Sods (117)
• Outsourcing (32)
• Public Policy (35)
• Rants (108)
• Risk Management (75)
• Speaking (32)
• Technical (93)
• The Guerilla CISO (80)
• Uncategorized (6)
• What Doesn't Work (87)
• What Works (112)
• Zombies (44)

Blogroll

• Amrit Williams
• Ascension Blog
• BackTrack
• Backwater Angler
• Chateau Blogsville
• Chris Hoff
• Cypher Punk Reading List
• Emergent Chaos
• Gunnar Peterson
• How Is That Assurance Evidence
• InfoSecAlways
• ISM-Community
• ISM-Community Blogs
• ISM-Community Combined Feed
• Jack Whitsitt
• Layer 8
• LOLFED
• Martin McKeay
• My Linux Blog
• NoVa InfoSec Portal
• Rich Smith
• Riskanalys.is
• Rob Newby
• Security Buddha
• Securosis
• Technology Liberation Front
• The New School of Information Security
• The Ninja CISO
• This is Fly
• TSSCI Security

Archives

• October 2012
• May 2012
• December 2011
• November 2011
• September 2011
• August 2011
• April 2011
• February 2011
• January 2011
• December 2010
• November 2010
• October 2010
• September 2010
• August 2010
• July 2010
• June 2010
• May 2010
• April 2010
• March 2010
• February 2010
• January 2010
• December 2009
• November 2009
• October 2009
• September 2009
• August 2009
• July 2009
• June 2009
• May 2009
• April 2009
• March 2009
• February 2009
• January 2009
• December 2008
• November 2008
• October 2008
• September 2008
• August 2008
• July 2008
• June 2008
• May 2008
• April 2008
• March 2008
• February 2008
• January 2008
• December 2007
• November 2007
• October 2007
• September 2007
• August 2007
• July 2007
• June 2007
• May 2007
• April 2007
• March 2007
• February 2007

Blog under the Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License

FISMA Report Card News, Formulas, and 3 Myths

Posted May 27th, 2008 by rybolov

Ever watch a marathon on TV?  There’s the usual formula for how we lay out the day:

• History of the marathon and Pheidippides
• Discussion of the race length and how it was changes so that the Queen could watch the finish
• World records and what our chances are for making one today
• Graphics of the race course showing the key hills and the “sprint to the finish”
• Talk about the womens’ marathon including Joan Benoit and Kathrine Switzer
• Description of energy depletion and “The Wall”
• Stats as the leaders hit the finsh line
• Shots of “back-of-the-pack” runners and the race against yourself

Well, I now present to you the formula for FISMA Report Cards:

• Paragraph about how agencies are failing to secure their data, the report card says so
• History and trending of the report card
• Discussion on changing FISMA
• Quote from Karen Evans
• Quote from Alan Paller about how FISMA is a failure and checklist-driven security
• Wondering when the government will get their act together

Have a read of Dancho’s response to the FISMA Report Card.  Pretty typical writing formula that you’ll see from journalists.  I won’t even comment on the “FISMA compliance” title.  Oh wait, I just did.  =)

Some myths about FISMA in particular that I need to dispell right now:

1. FISMA is a report card:  It’s a law, the grades are just an awareness campaign.  In fact, the whole series of NIST Special Publications are just implementation techniques–they are guidance after all.  Usually the media and bloggers talk about what FISMA measures and um, well, it doesn’t measure anything, it just requires that agencies have security programs based on a short list of criteria such as security planning, contingency planning, and security testing.  It just goes back to the adage that nobody really knows what FISMA is.
2. FISMA needs to be changed:  As a law, FISMA is exactly where it needs to be.  Yes, Congress does have talks about modifying FISMA, but not much has come of it because what they eventually discover after much debate and sword-waving is that FISMA is the way to write the law about security, the problem is with the execution at all levels–OMB, GAO, and the agencies–and typically across organizational boundaries and competing master agendas.
3. There is a viable alternative framework:  Dancho points out this framework in his post which is really an auditors’ plugin to the existing NIST Framework for FISMA.  Thing is, nobody has a viable alternative framework because it’s still going to be the same people with the same training executing in the same environment.

Urban Cell-Phone Fire Myth photo by richardmasoner.  This myth is dispelled at snopes.com.

Way back last year I wrote a blog post about indicator species and how we’re expecting the metrics to go up based on our continual measuring of them.  Every couple of months I go back and review it to see if it’s still relevant.  And the answer this week is “yes”.

Now I’ve been thinking and talking probably too much about FISMA and the grades over the past couple of years, so occassionally I come to conclusions .  According to Mr Vlad the Impaler, the report card is a bad idea, but I’m slowly beginning to see the wisdom of it:  it’s an opportunity to have a debate and to raise some awareness of Government security outside of those of us who do it.  The only other time that we have a public debate about security is after a serious data breach, and that’s not a happy time.

I just wish the media would stop with the story line that FISMA is failing because the grades provide recursive evidence of it.

Similar Posts:

• FISMA Report Cards Issued–Response is Rote by Now
• GAO’s 5 Steps to “Fix” FISMA
• A Funny Thing Happened Last Week on Capital Hill
• Random Thoughts on “The FISMA Challenge” in eHealthcare
• When the Feds Come Calling

Posted in FISMA, NIST, What Doesn't Work, What Works | 9 Comments »
Tags: auditor • blog • collusion • comments • compliance • fisma • gao • government • infosec • management • omb • scalability • security

9 Responses

1.  Dan Philpott Says:
   May 27th, 2008 at 2:47 pm

   I sometimes think that most reporting on the FISMA report cards comes from Lake Woe-Be-Gone, where all the security is strong, all the consultants can do it better, and all the Agencies are above average (with profound apologies to A Prairie Home Companion.)

2.  LonerVamp Says:
   May 27th, 2008 at 5:58 pm

   Just like FISMA can provide soundbyte awareness to high-up mucky-mucks, it is chum to journalists who are unable to exhibit any further expertise than giving high-up mucky-muck-style responses.

   Neverending chum, I might add, because nothing will solve compliance or security, other than ongoing diligence. And that’s chum chum chum to media!

3.  LonerVamp Says:
   May 27th, 2008 at 5:59 pm

   Chum!

4.  rybolov Says:
   June 2nd, 2008 at 9:36 am

   Gotta chum up the water so the big sharks will arrive. =)

5.  Richard Masoner Says:
   June 5th, 2008 at 7:44 pm

   Interesting observations — I wrote security software (ye olde DoD orange book “Trusted Systems” stuff) in a previous life. Thanks for using my photograph to illustrate your post.

6.  rybolov Says:
   June 5th, 2008 at 8:16 pm

   Hi Richard

   Thanks for posting your picture on Flickr using a Creative Commons License, otherwise I never would have found it.

   Let’s all join in a rousing rendition of “The Free Software Song”. =)

7.  fkenisky Says:
   January 12th, 2010 at 10:18 am

   Interesting article but I’m not sure where you stand on this issue.

   My first problem is with someone like Alan Pallar who criticizes these laws and regulations and only states that good security will prevail. ‘Rocky what me pull a rabbit out of my…’

   As a CISO and ISO over the past 8 years I believe that management believes that there is no security so to hell with it all. That nothing we do is going to save us or security is the firewall’s responsibility.

   As an ex IT auditor I can say that without adherence to anything you have exactly what you ad hear to. Nada. Nothing.

   So as an auditor you look for internal controls which is addressed in NIST. However if you don’t follow NIST because Alan Pallar said it’s worthless and you use that to justify not having Internal Controls then you agree to no accountability.

   You can’t have it both ways. You either follow a standard or you live in kaos and wing it. But then you also live with the consequences. If PCI standards state that you should have a type of tripwire installed on your systems to provide a measure of internal controls but you state because we trust each other that should be sufficient to justify no internal controls or accountability and PCI fines you $50,000 for each month you haven’t complied is that good business?

   But it doesn’t provide us with security? Having internal controls doesn’t provide you with security? (and believe me I’ve heard this one from a manager who is as dumb as a door frame)

   In my day you didn’t stand up a box till you had harden it. That meant you removed all unnecessary applications, services and other nefarious things. Today we do a default install of Enterprise Linux and we’re good to go, plug it in the network, install our database and off we go. According to management removing those unnecessary things doesn’t pertain to them. But it’s a requirement by PCI. But it won’t make me more secure.

   I’m off on a rant right now so bear with me.

   Security is everyone’s responsibility not just the ISO’s. Management that I’ve had the pleasure of dealing with thinks that the ISO is the boy who puts his finger in the dam to stop the leak. They don’t care about the infrastructure of the dam they only care about stopping the leak.

   Their feeling is, ‘if we get hacked we’re in big trouble’. In my opinion that’s too late. Sorry I took so much space.

8.  rybolov Says:
   January 13th, 2010 at 8:28 am

   Nice Rant.

   I’m on the side of common sense if that’s a side to be on.

   Opinion: Without the scorecard, nobody would care enough to do anything.

   Opinion: Everybody always misinterprets the results.

   Opinion: FISMA isn’t failing, it’s a workforce management issue, both for security staff and for federal employees at large.

9.  fkenisky Says:
   January 13th, 2010 at 4:26 pm

   I agree with the third opinion.

   Also didn’t know if you noticed but my rant does pick at Alan Palard; who happens just in case any other googlers happen upon this page wonder who we may be talking about, the chair of SANS.org an IT Computer Security think tank.

   With that out of the way if you read my rant you will know that Alan considers FISMA and this Federal measurement as meaningless and by trying to comply does not make you secure.

   However recent news I have discovered what I thought all along. Alan was positioning himself to become the Guru of FISMA. Now SANS has come up with ICE which I’ve seen in coordination with FISMA.

   Why is this important? Because part of the measure of this security will certainly become weather enough Federal Employees are GLIC certified by SANS.

   No wonder FISMA doesn’t work, yet.

Leave a Comment