It’s probably a shocker to most people, but I’m going to recommend that S.3474 be amended or die on the Senate floor like Caesar.
I’ve spent many hours reading over S.3474. I’ve read the press releases and articles about it. I’ve had some very difficult conversations with my very smart friends.
I’ve come to the conclusion that S.3474 as written/proposed by Senators Carper and Leiberman is not the answer to information security in the Government as it has been publicized repeatedly, and that anyone who believes the hype is in for a rude surprise next fall if the bill is ratified and signed.
My thoughts on the matter:
- S.3474 is not what it is being publicized as. The people who write the press releases and the articles would have us believe that S.3474 is a rewrite of FISMA 2002 and that it focuses on continuous monitoring of the security of IT systems, both of which are a good thing. First and foremost, it does not repeal FISMA 2002, and anyone saying that is simply trying to deceive you. S.3474 adds to the FISMA 2002 requirements and codifies the role and responsibility of the agency CISO.
- S.3474 does not solve the core problem. The core problem with security and the Government is that there is a lack of a skilled workforce. This is a strategic issue that a bill aimed at execution of security programs cannot solve by itself.
- S.3474 adds to the existing checklists. People have been talking about how S.3474 will end the days of checklists and auditors. No, it doesn’t work that way, nor is the bill written to reduce the audits and checklists. When you introduce new legislation that adds to existing legislation, it means that you have added more items to the existing checklists. In particular, the provisions pertaining to the CISO’s responsibilities are audit nightmares–for instance, “How do you maintain a network disconnect capability as required by FISMA 2008” opens up a whole Pandora’s Box worth of “audit requirements” which are exactly what’s wrong with the way FISMA 2002 has been implemented.
- S.3474 puts too much of the responsibilities on the CISO. It’s backwards thought, people. The true responsibility for security inside of an agency falls upon that political appointee who is the agency head. Those are the people who make the decisions to do “unsafe acts”.
- S.3474 does not solve any problems that need a solution. Plain and simple, it just enumerates the perceived failings of FISMA 2002. It’s more like a post-divorce transition lover who is everything that your ex-spouse is not. Let’s see… technical controls? Already got them. Requirements for network monitoring? Already got them. 2nd party audits? Already got them. Requirements for contractors? Already got them. Food for thought is that these exist in the form of guidance, does the security community as a whole feel that we need to take these and turn them into law that takes years to get changed to keep up with the pace of technology? There is some kind of segue there into Ranum talking about how one day we will all work for the lawyers.
Of course, this is all my opinion and you can feel free to disagree. In fact, please do, I want to hear your opinion. But first and foremost, go read the bill.
i haz a veto pen photo by silas216