Want me to take a stab at what the information security management world will look like in 5 years?  I think I’m starting to see the start of it, and I’ll tell you about it if you sit for awhile and listen.

The US government does some things right.  Yes, you heard me correctly.

You probably think by now that all I do now is whine about huge levels of gross incompetence I see on a daily basis and how I could singlehandedly run the government all while sitting at home, sipping on a coke, and crunching data on my own personal cluster of beowulf clusters.

But really, the government does some things right.  The folks at the NIST FISMA project do some very amazing things, and I’m not just saying that to suck up to Ron and Marianne.

One thing that the government does right is to make their guidelines available for free to anyone over the internet.  And some of them beat the pants off what you would find in the commercial world.  Inside ISM-Community, when we started the Risk Assessment Methodology Project, I personally found it hard to ignore the fact that Special Publication 800-30 was staring me in the face.  How really do you improve on it?  Well, for starters you take 800-30 as a base process and then add more specific guidelines, examples, and templates, which is pretty much what our methodology started out as.
One of the things that NIST does really well is to provide you with a framework.  It’s extensible to include various standards (PCI, 7799, and the government’s home-grown 800-53), tailorable, and is designed to hook security into the system development life cycle (SDLC).  It’s entirely free as in beer and free as in you have the ability to import into your own processes.

Would you be surprised if I told you the framework was certification and accreditation?

Yes, I’ve criticized certification and accreditation a bazillion times.  Well, I haven’t really criticized the process–personally I think it’s really strong.  Instead, I criticize the implementation of the process and how the people who are tasked with C&A usually do not have the technical skills to accomplish what they are trying to do.

I’ve seen 2 RFPs out on the street in the past couple of months for C&A services for local governments.
This is driven by auditors and practitioners coming from the federal government who are making recommendations on joint systems, like RealID will end up if the states don’t rebel like it seems they are starting to do.

The future will bring along C&A, and it might even turn out to be the vehicle for needs determination and risk assessment, but C&A has to adapt and lose some of it’s heavy baggage along the way.

• FISMA Fellows Spring Cohort
• What the Government Looks for in a Product
• NIST’S FISMA Pase II–Who Certifies Those who Certify the Certifiers?
• Build a Security Program
• Remembering Accreditation