I have a unique vantage point on how security, outsourcing, consulting, and the public sector work.  While I am a contractor who works for a company that provides outsourcing services, most of the time I end up arguing the government’s standpoint to my company, and I end up arguing my company’s standpoint to the government.

In short, I argue a lot.  =)  So much, in fact, that most of the time people have to ask who I work for and they’re shocked to find out the truth.

One issue that I hold close to my heart is how to manage security in outsourcing.  I’ve seen what works, and I’ve seen what doesn’t work, but usually more of the latter.

The truth is that while the government is getting smarter about outsourcing, we still have miles to go.  For example, more often than not a government contract nowadays contains a clause that “the contractor must be compliant with FISMA and NIST standards and guidelines”.  On one hand, I like this, it shows that “The Word” (TM–thanks, Joe) is slowly sinking in.  However, it’s not enough, and I’ll explain why.

The problem is that if you are wearing a contractor hat, what you are looking at is a simple problem: “How do I estimate the cost to me for providing security support to the government as part of this contract?”  This is a problem because “compliant with FISMA and NIST standards and guidelines” runs an entire range of situations from horrible Bataan-death-march malicious compliance contracts to well-managed common controls shops, and unless I have prior experience with this particular agency, I don’t know which side of the spectrum they are on.

As a contractor, when it comes to security, we are almost always responding reactively to security requirements.  This might mean that we have to significantly change the solution mid-stream in order to satisfy what the government wants.  Contractors don’t like this because it means we have to fight with the government over costs, which is just no fun for either of us.  On the government side, we’re wondering why the contractors don’t just Do What I Mean, since I obviously said “be compliant or else”.

Just thinking back, I know what to expect from a handful of agencies, but if they’ve experienced key personnel changes or were suddenly born-again security-wise because of a bad report card, then suddenly my crystal ball has gone black.  Wouldn’t it be nice if we could ask them in advance on which side of the teeter-totter they are sitting on?

Well, I have a partial answer.  You cynics were waiting for this, weren’t you?

How about the government starts their System Security Engineering process and their Certification and Accreditation before they send out the Request for Proposal or Request for Information?  That way, when we send out something for the industry to respond to, they have something to base their security estimates on.  According to the fancy manuals, this is how we should be running the Capital Planning and Investment Control Process all along.  You’re not that mature as an agency?  Don’t worry, you’re not alone.
We have the tools already built to do this.

We have FIPS-199 (ratings for Confidentiality, Integrity, and Availability) which can provide a contractor with a very rough order of magnitude on how much security to build into their response.  As soon as we know what we want to use the system for, we can determine data types and, by extension, criticality.

And we have FIPS-200/SP 800-53 which, although we don’t want to build the entire set of controls, we can select controls out of the catalog which absolutely need to be implemented.  We base this on, take a seat for this one… risk assessment.  We can then put these controls (a dozen or so of the high-priority controls at the most, otherwise you’re defining the solution space and limiting the flexibility of the vendor to be cost-effective) as security requirements or even functional requirements.

Now isn’t that better than a blanket FISMA/NIST clause?

• Keys to the Outsourcing Kingdom
• Imagine that, System Integrators Doing Security Jointly with DoD
• Your Security “Requirements” are Teh Suxxorz
• How Much Security Should the Outsourcer Do?
• Compensating Controls