Posts RSS
Subscribe via Email
Next Up in Security Legislation: S3474
Posted September 15th, 2008 by rybolov
And here we have it, a bill introduced by Senators Carper and Lieberman to increase security in the Government, known as FISMA 2008. I’m still waiting on the text to appear on the Thomas entry, but I’ll go through the major provisions from the congressional record.
Congressional Record of the Bill’s Introduction and text (Starts on CR 8388 and goes through CR 8391)
Major provisions:
- Changes some definitions of “assessment”, “audit” and “evaluation”. OK, I had to do some research on this one. Thankfully, this is all online. Sidenote: it’s not Section 3545 as per the bill, it’s Section 3535. Basically this is just rewording and rescoping of annual audits to be written the way it should have been in the first place.
- Creates a CISO position at each agency. Hey, I thought this was already created by FISMA. What we need is not CISOs that work for the CIO, what we need are agency CSOs (I’ll even take an agency Chief Risk Officer) that have authority over all of security, not just IT geek concerns.
- Creates a CISO Council. Fantastic idea, how come I didn’t think of it?
- Qualifications for CISOs. Not a bad idea, but the bill doesn’t elaborate too much.
- Responsibilities for CISOs. This is an interesting section. Much of this is in guidance from NIST/DISA/CNSS already. I like most of these measures, but I’m not sure that they need to be codified into law except for the pieces that reside outside of the agencies, like the coordination with US-CERT. Putting the CISO’s responsibilities into law does give the CISO more teeth if they need it, but you have to wield the law carefully.
The Law photo by F.S.M.
From the NextGov article and the congressional record:
“Our bill empowers chief information security officers to deny access to the agency network if proper security policies are not being followed. If we are going to hold these hardworking individuals accountable in Congress for information security, then we should give them the authority to do so,” said Carper.
Um, yeah, we’ve given them the authority in this bill, but my problem is that it completely removes the DAA/AO/mission owners from the picture–the CISO is now responsible for the secure operations of IT systems and has disconnect authority.
I think that philosophically this bill is a step backwards. The more progressive thought is that security is the responsibility of the agency head and the mission owners and that the CISO just provides support as a subject matter expert. Under this bill, we’re back to a world where the CISO is the sole decision-maker when it comes to security. Wow, that’s so… 1990’s-ish.
However, we all know that the CISOs are the people getting the security job done from day to day, and this bill makes sense if you assume that the agency heads and DAAs/AOs have 0 interest or skills to assist in the security of their data. That might or might not be true, I’ll leave it up to you to decide.
Questions for today are these (and yes, I want to hear what you think):
- Are we willing to scrap the “business/system owner” concepts that our security management processes are modeled around?
- Are we willing to admit that the DAA/AO concept is a failure because of lack of understanding and capabilities on their part?
- Are the mission owners willing to take an outage on their supporting IT infrastructure because the CISO took the system offline because they didn’t secure the system properly in the first place?
- Can we rely on a management technique where the stakeholders are removed from the decisionmaking of a trained expert?
Similar Posts:
Posted in FISMA, What Doesn't Work, What Works | 
4 Comments »
Tags: compliance • datacentric • fisma • government • infosec • law • legislation • management • risk • security
September 16th, 2008 at 12:09 am
1. In a word: No. That would be a step back; a huge step back. First we fight with the “security is everyone’s concern” message for a few years, then we finally get some traction and people slowly wake up to the realisation that it is their information and they need to make sure they don’t do anything silly with it. The problem is already identified: CISO’s are held [b]accountable[/b] for something that is clearly not their remit. Responsible they should be; accountable not. Accountability for management of assets physical or otherwise, has always been with the owners of those assets. Why does the world suddenly forget everything as soon as the subject comes to technology?
2. No, just assign accountability accordingly and then enforce it. 🙂 We’re always good at assigning accountability and responsibility, but we fall short of actually enforcing it both when things to wrong as well as when people do a stellar job. (And you know my comment is quite generic, being firmly planted in the corporate world)
3. 🙂
4. Didn’t we try that before? Actually, we are still doing it, even as we pay lip service to “better management practices” and “better governance”.
BTW, happy belated birthday.
September 19th, 2008 at 10:11 am
[…] This bill is actually pretty good with the exception of divorcing the mission owners from the security of the systems that support their mission. […]
November 6th, 2008 at 12:42 pm
Don’t scrap SOs/MOs. I agree with CISO = Agency Risk Officer at a senior level and should report to the agency head, not the CIO. Let the system/business owner continue to be accountable for secure systems, and the CISO become the de jure DAA (already de facto in many agencies). Their task should be to evaluate and accept risk for the agency (represent the head). After all, should mission owners rally be making agency risk decisions?
November 6th, 2008 at 5:36 pm
Hi mumo
The problem I can see with making the CISO the DAA is that they need a budget to support it–it’s not a matter of just accepting or declining the risk, you also have the option of throwing more people and money at the system if you see fit. I don’t think that the CISO should be *that* guy. But yeah, they need to be part of everything that happens.