Article from William Jackson in Government Computer News: Security policies remain a burden to federal IT managers, but they are producing results.
First off, GCN, come into the modern Web 2.0 era by letting people comment on your articles or at least allow trackbacks. Having said that, let’s look at some of Mr Jackson’s points:
- NIST Special Publications: They’re good. They’re free. The only problem is that they’re burying us in them. And oh yeah, SP 800-53A is finally final.
- Security and Vendors/Contractors: It’s much harder than you might think. If there’s interest, I’ll put out some presentations on it in my “copious amounts of free time”. In the meantime, check out what I’ve said so far about outsourcing.
- Documentation and Paperwork: Sadly, this is a fact of life for the Government. The primary problem is the layers of oversight that the system owner and ISSO have. When you are as heavily audited as the executive branch is, you tend to avoid risks and overdocument. My personal theory is that the reason is insistence on compliance instead of risk management.
- Revising FISMA: I’ve said it time and time again, the law is good and doesn’t need to be changed, the execution is the part that needs work.