It’s All About Common Controls!

Posted February 21st, 2007 by

Inspired by Richard Bejtlich.

I both love and hate FISMA and C&A.  FISMA itself is pretty good:  Do security planning and tie security into the budget.  That’s great.

But why are we spending all this effort as a jobs program for security people who have no skills?  I want to see C&A people out of business.  As an infantry squad leader, I didn’t outsource planning my missions to contractors who aren’t going with me to be shot at, so why should the government outsource security planning to somebody who has never even seen the system?

I want to see the government figure out a way to do things cheaper, faster, stronger, so that they can spend money and effort on things that matter more than documentation.  C&A was supposed to do that, but it’s now impossible to do right because you have too many people with oversight of security planning who want to argue semantics.

This is my secret to C&A nirvana:  document and test the shared controls once (read: managerial and operational controls), then get on with your life.  Out of the plethora of controls in 800-53, why don’t you create one common controls package (at the risk of sounding like a complete and utter wonk, this is the purpose of having a General Support System) and then for each system, you say “same as the common controls package, this is how we built this system”.  That should limit the repetition of effort to the minimum.

There is no reason that I should have to test my security policy for each system that I own.  That’s a waste of time.  If we keep reinventing the wheel and playing NIH (Not Invented Here) games, we will continue to hemorrhage cash on rewrites of security plans that do not add security value with the exception of mitigating the “auditor risks”.

The System Security Plan (SSP) for one system should be a small binder (or even *gasp* stapled), not a rehash of every NIST publication, the agency policy, and a bunch of fluff to make it look like you added value.  People who do the latter activities or insist on them need to be put out of business, and that’s why I can appreciate the anti-wonk backlash that Richard promotes.



Similar Posts:

Posted in FISMA, NIST, Rants, Risk Management, What Doesn't Work | 1 Comment »

One Response

  1.  david Says:
    February 10th, 2009 at 7:18 pm

    duly noted and agree,
    D’OH!

Leave a Comment

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.


Visitor Geolocationing Widget: