Ooh, “The Word” is out on S 3474

Posted September 19th, 2008 by

Federal Computer Week: Senate Panel Rejects Weakening S 3474

Gene Schultz: Goodbye FISMA (as We Know It)

Let’s talk through the FCW article first, shall we?   =)

“The measure would amend the original FISMA legislation, which outlined compliance activities for agencies to meet each year. However, many agencies have turned FISMA compliance into a paperwork exercise, Carper said.”

Um, no, I don’t get that.  The original FISMA is an information security management law, this law mostly formalizes the role, responsibility, and authority of the CISO.  They intentionally named it FISMA 2008 to make people think that it was ammending the original FISMA, but it doesn’t do that.

Don’t believe the hype, this will not change the original FISMA, it’s just an addition.

“Carper said CIOs primarily develop and oversee policy, but the CISO handles the daily information security activities. He suggested that a CISO council could have a sunset date of two or three years. If the council demonstrated benefits, it could be extended, Carper said.”

OK, fair enough on the cost and coordination, but what the CISO council objectionists don’t understand is that the CIOs don’t know all of the nuts and bolts of security, that’s why we have CISO as a mandatory position in this bill–so that the CIO has a subject-matter-expert to help them out.  Yes, it’s that specialized as a profession.

Now for Gene Schultz:

“First and foremost, to comply with this statute involves generating huge amounts of paperwork to document actions (or lack thereof) taken to address the many areas that FISMA describes. A completely ineffective security practice can get high FISMA marks, as has happened numerous times before.”

OK, this is a little lesson on FISMA paperwork:  people are doing 4x what they should be doing for the following reasons:

  • The people doing the writing do not know what they are actually doing
  • The agency’s security program is not mature enough to have shared/common controls
  • In the world of auditors, if it’s not written down, it doesn’t exist
  • CYA purposes–I told you this was a risk

So you think you’re going to do any better with any other framework/law and the same people executing it?

“Two US Senators, Joseph Lieberman of Connecticut and Tom Carper of Delaware, have recently introduced a Senate bill that would render the 2002 version of FISMA obsolete.”

No, to be bluntfully honest, the old version of FISMA will still be around.  Somebody’s been drinking the kool-aid from the lawmakers and the press machine.  If anything, this adds more junk that you can get audited on and an additional layer of paperwork to demonstrate that you have met the provisions of FISMA 2008.

Post No Bills photo by striatic.

Note to our nation’s Lawmakers: as long as you approach information security from the compliance angle, we as a government are doomed to failure and to turn the entire thing into the checklist activity because the people who evaluate compliance are auditors who only know checklists–it’s not a law problem, it’s a people and skills problem.

This bill is actually pretty good with the exception of divorcing the mission owners from the security of the systems that support their mission.

However, if you think that you can reduce the compliance trap by adding more things that will end up on a compliance checklist, you have to be kidding yourself or you don’t understand the auditor mentality.

I keep reconvincing myself that the only way the government can win at security is to promote programs to develop people with security skills.  Of course, that isn’t as sexy as throwing out a bill that you can claim will make FISMA obsolete.

And finally, for those of you playing along at home, the Thomas entry for S 3474, the bill’s page on Washington Watch and the bill’s page on GovTrack.

Similar Posts:

Posted in FISMA | 3 Comments »

3 Responses

  1.  Vlad the Impaler Says:

    As always, Komrade Vlad is too busy to actually read details, just skim them and move on, then send the article off to Rybolov as an FYI…
    Komrade Rybolov does bring up some good points regarding people/skills and government actually nurturing or developing specialized talent…
    This would be great if it doesn’t turn into a “qualify the contractor” or “qualify the guvvie” exercise. Last thing we need is another rush for “More Certifications!!!” Certifications really hasn’t helped the FAA (sorry to name names) with their security program, although they do have more CISSPs on their roster than many similar-sized organizations…
    You say, “But Vlad, you have a certification!” Really, this isn’t heresy — the issue of certifications raises some hackles with me ‘cuz I still see too many folks with letters after their names who haven’t a klew.
    Mind you, many of these are the very same folks who:
    – Think C&A and FISMA is all about the volume of paper they deliver, (‘cuz they get paid by the pound)
    – Run/act as bloviating, self-serving, non-independent, spokespeople for professional organizations and decry that “FISMA is broken and will never work” because it focuses on the enterprise rather than the administrator in the trenches…

    Hmm. When will lawmakers and other sycophants learn that security is not about paper or a compliance snapshot — it’s about what an organization does every day before the auditors come and after they leave?!

  2.  Norm Says:

    From the inside:
    If you don’t listen to your professional advisors, you’ll read about your lack of understanding in the morning paper.

  3.  Insider Says:

    I am from the generation were most if not all non-security professionals saw security as the “red headed step-child” left in the backroom that no one talked about, but was feed only when necessary. However, by virtual of the very environment in which we live security has been made part of the family finding acceptance when “justified” by a title of certification; hence often the proof with not real substance.
    Validity is given when proven by the measure of compliance, therefore, the parade of checklist across the desk in an endless effort to appease the lawmakers and validate auditors.
    However, the reality should be this, System Administrators that know just as much about system security as system administration. Network Engineer/Designers who can develop information secure systems without one thought of “design first, secure later”.

Leave a Comment

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.

Visitor Geolocationing Widget: