No, FISMA Doesn’t Require That, Silly Product Pushers

Posted July 31st, 2008 by

Post #9678291 on why people don’t understand what FISMA really isSecure64 DNSSEC Press Releases.

“FISMA Act encourages U.S. government agencies to configure their DNS servers to the DNSSEC security specifications set by the National Institute of Standards and Technology, and it has been reported that the federal governments Office of Management and Budget (OMB) plans to begin enforcing DNSSEC requirements through an auditing process, setting the standard for DNS best practices.”

Yep, if you stamp FISMA on it, people will buy it, maybe in your PR department’s wettest and wildest dreams.  Guys, it’s been 6 years, that kind of marketing doesn’t work nowadays, mostly because we spent ourselves into oblivion buying junkware similar to yours and now we’re all jaded.

Now don’t get me wrong, DNSSEC is a good thing, especially this month.  But there is something I need to address:  FISMA requires good security management with a dozen or so key indicators, not a solution down to the technical level.  Allusions to OMB are just FUD, FUD, and more FUD because unless it’s in a memo to agency heads, it’s all posturing–something everybody in this town knows how to do very well.  OMB would rather stay out of mandating DNSSEC and maybe give a “due date” once NIST has a final standard.

My one word of wisdom for today:  anybody who tries to sell a product and uses FISMA as the “compelling event” has no clue what they’re talking about.

Similar Posts:

Posted in FISMA, What Doesn't Work | 7 Comments »

7 Responses

  1.  Chris Says:

    You put peanut butter in my chocolate.

  2.  Dan Philpott Says:

    If they’d said, “NIST’s FISMA guidance encourages …” they would have been correct.

    What has always frustrated me about 800-53’s SC-20 and SC-21 is that NIST comes so close to saying to use DNSSEC but stops short of doing so. I can speculate as to the rationale, NIST typically doesn’t want to dictate how to come into compliance and avoids advocating particular products to meet compliance. But this isn’t a product, this is a standard, and NIST has never shied away from specifying the standards we are expected to meet.

    On another note, the one thing that gives me pause with DNSSEC is that djbdns refuses to support it. DJ Bernstein has some discussion of why he won’t support it on his website but it’s a bit dated. And if the most secure DNS software available won’t support the DNS security standard then it’s time to reconsider how secure that DNS standard is.

  3.  Jeremy Says:

    I never understood how DNS got three whole security controls all to themselves. Is there any other topic that gets as much face time?

    Plus, I know absolutely no one who uses DNSSEC. Most people have never even heard of it. And the only widely used product that I know that can use it is Bind9, I believe. I don’t think that MS has any plans of implementing it in the future.

  4.  rybolov Says:

    Maybe, just maybe, we can get a DNSSEC thingie going with a PKI and HSPD-12 thingie, but at that point my head starts spinning with silver-bullet acronyms and I pass out.

  5.  Jeremy Says:

    One word: Abacus.

  6.  Silly Product Pusher Says:

    As an employee of Secure64 who was involved in creating the press release to which this blog refers, I felt a need to respond.

    The press release states that FISMA “encourages” adoption of DNSSEC. Nowhere in the press release does Secure64 state that FISMA “mandates” it, or “requires” it. So the title of your blog reprimands “silly product pushers” for something that hasn’t happened. FYI, this “encouragement” comes from NIST Special Publication 800-81, which specifically recommends deployment of DNSSEC as part of a secure DNS.

    Just so you know…

  7.  rybolov Says:

    Thanks for the comment SPP. =)

    I don’t have any problem with saying that something is encouraged, the problem I have is when you use the same language to *imply* that your product is required. FISMA does not encourage any particular solution–the NIST guidance does. You’re confusing the law with the implementation framework–one is guidance and the other is public law, which you alude to in order to lend your press release more credibility.

    As an industry, we have enough FUD about products and standard compliance. Please don’t lower yourself to this level.

Leave a Comment

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.

Visitor Geolocationing Widget: