First, some links:
Synopsis: DoD wants to know how its system integrators protect the “Controlled Unclassified Information” that they give them. Hmm, sounds like the fun posts I’ve done about NISPOM, SBU and my data types as a managed service provider.
This RFI is interesting to me because basically what the Government is doing is collecting “best practices” on how contractors are protecting non-classified data and then they’ll see what is reasonable.
Faustian Contract photo by skinny bunny.
However, looking at the problem, I don’t see this as much of a safeguards issue as I do a contracts issue. Contractors want to do the right thing, it’s just that they can’t decide if security is which of these things:
- A service that they should include as part of the work breakdown structure in proposals. This is good, but can be a problem if you want to keep the solution cheap and drop the security services from the project because the RFP/SOW doesn’t specify what exactly the Government wants by way of security.
- A cost of doing business that they should reduce as much as possible. For system integrators, this is key: perform scope management to keep the Government from bleeding you dry with stupid security managers who don’t understand compensating controls. Problem with this approach is that the Government won’t get all of what they need because the paranoia level is set by the contractor who wants to save money.
Well, the answer is that security is a little bit of both, but most of all it’s a customer care issue. The Government wants security, and you want to give it to them in the flavor that they want, but you’re still not a dotorg–you want to get compensated for what you do provide and still make a profit of some sort.
Guess what? It takes cooperation between the Government and its contractors. This “Contractor must be compliant with FISMA and NIST Guidelines” paragraph just doesn’t cut it anymore, and what DoD is doing is to research how its contractors are doing their security piece. Pretty good idea once you think about it.
Now I’m not the sharpest bear in the forest, but it would occur to me that we need this to happen in the civilian agencies, too. Odds are they’ll just straphang on the DoD efforts. =)