Preliminary Findings on Cybersecurity Review Now Out

Posted April 1st, 2009 by

In a surprise move, the Obama administration is expected to announce abandonment of NIST’s Framework for FISMA in lieu of adopting the Payment Card Industry Data Security Standard (PCI-DSS).

In information leaked to the Guerilla-CISO staff, an undisclosed source deep inside the 60-day cybersecurity review made the following observations:

  • Since everybody is complaining that FISMA is failing, the time for change is now while the Government is still in transition chaos.
  • The leading metrics support the fact that the Payment Card Industry standards do work.
  • There exists a large, relatively inexpensive and certified workforce focused around PCI-DSS.  This is preferrable to the expensive, non-certified FISMA compliance workforce.
  • Billions of credit card transactions occur every day.  How could Visa and MasterCard be wrong?
  • WAFs and code review are all we need in a web-enabled Government 2.0 world.
  • PCI flip-flops on data encryption and the use of DLP solutions, so do we.
  • Since one compliance framework is as good as another, we might as well pool our resources.
  • A significant amount of money is spent on FISMA compliance.  That would all be eliminated under a PCI compliance framework.
  • Technologies such as Scanless PCI can reduce the audit burden on the agencies to a couple bottles of beer and a handshake.
  • The House testimony on the effectiveness of PCI-DSS was convincing that it is a viable standard.

In the interests of due diligence in reporting, the Guerilla-CISO staff tried to contact NIST’s Computer Security Resource Center and gained the following unofficial opinion:

“Screw those Obama guys.  Where were they when we were trying to create Government 1.0 and the FISMA Framework?  They haven’t put in the all-nighters because some yahoo at an agency lost a USB drive full of classified documents–they don’t have the experience to make this call.  I bet the administration thinks that they can outsource all responsibility to the cloud and get some ‘security through abstraction’.  Talk about gratitude for you, I’m going to go work for the International Standards Organization.”

PCI Plug-and-Play photo by ryan_franklin_az.

Similar Posts:

Posted in IKANHAZFIZMA, Rants | 9 Comments »

9 Responses

  1.  DanPhilpott Says:

    I’m updating the slides now!

    What a fantastic and visionary move to improve the security of Federal systems by outsourcing to a proven compliance regime like PCI-DSS. With PCI-DSS we can all sleep safely knowing we are Heartland(tm) Secure!

  2.  rybolov Says:

    Homeland, Heartland…. see the similarity? =)

  3.  Graydon McKee Says:

    I bet the NIST guys only agreed to talk to you off the record too.

  4.  Darren Couch Says:

    So, does this mean I can update my DEERS records and shop ebay at the same time?

  5.  Mini-Me Says:

    Ok, does this mean Amazon will get a cage code now to hold my security clearance? How is that going to work in the cloud?

  6.  PorterD4 Says:

    I smell 27000!!

  7.  Mike Radigan Says:

    I just checked my calendar, you are indeed one day too late. Nice try, you had us going there for a minute. Tell me it ain’t so …

  8.  Top 3 NoVA Infosec Blog Posts of the Week | Says:

    […] about what the Obama administration is trying to do with cybersecurity. If nothing else, you should read the post for the “unofficial opinion;” it’s hilarious […]

  9.  djmed Says:

    good post! PCI-DSS is the future of the 23rd century. I want more posts. i love your site. thanks

Leave a Comment

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.

Visitor Geolocationing Widget: