Two months ago, OMB released Memorandum 07-11 which established the authority for government-wide hardening standards for Windows products. It’s a very good thing in my opinion.

However, I’m beginning to see the start of the side effects. I have vendors already that are beating down my door trying to sell me compliance solutions that will help me meet this “oh-so-very-important standard”. I think they missed the other things I’ve had to say about compliance. The one worry that I have is that people will hit their systems with whatever technical policy compliance tool and think that they don’t have to do anything else. I think really that’s the one big problem I have with this entire class of products–they present themselves as the cure-all for all the security problems that an organization could have.

Knowing the people from NIST, it’s the classic problem that they have: They issue guidance and people blindly follow it even though it’s contradictory and not smart security. The best part is when people offer “NIST-Compliant” solutions (I take that out of our marketing material whenever I find it and then take the time to educate people on why it’s wrong) which are at best, “Our interpretation of the guidelines with numerous assumptions” and think that this is all that an organization should do security-wise. Well, the catch is that NIST, compliance frameworks, and vendors can’t anticipate every situation, so at the most what they’re offering is a 75% solution. If you go back to both NIST and OMB, they will tell you to make a decision based on a cost-benefit-risk comparison.

My friend Art Chantker from The Potomac Forum has an executive breakfast on the 24th with a good host of speakers–OMB, NIST, MicroSoft, and US Air Force. I’ll be there, just for the simple fact that I can refute claims later when somebody offers me yet another compliance solution. =)

This whole unified standard business was started by the US Air Force who very simply decreed that you wouldn’t connect a windows system to the network until it met the technical standards. Hmmm, wonder where they got the idea for a technical standard? This isn’t new, DoD has been doing it for years. I guess finally the clueful people got together and decided to make the migration to Vista a chance to get STIGs implemented in the civilian agencies.

• Some Comments on SP 800-39
• Speaking in July/August
• Core Belief #4 — Compliance is a Dead-End
• Special Publication 800-53 Revision 3 Workshop
• Opportunity Costs and the 20 Critical Security Controls

In order to get all my content spidered, I’m setting the blog pages and RSS feed up to be big this weekend. I’ll trim them back on Monday.

I also added a row of social networking bookmark widgets to each post in a shameless attempt to get a bit more traffic coming in. =)

• Business Leadership Training
• Is Myspace Satan?
• And Now for Something Completely Different…
• My Blog is Dead, Long Live My Blog!
• A Day in the Life of the Feedmaster

Attached are some pictures from the C&O Canal in Maryland.  It’s a nice warmwater fishery and although I have yet to catch the huge bass that live in it, I have seen them up-close on 2 occasions–they made my heart stop, they were so big.

Where the Bluegills Live

Looking Down the Canal

Baby Bassie

• Friday Flyfishing Post: A Tale of 2 Bass Flies
• Sunday Fish Picture
• Friday Flyfish Picture
• Friday Flyfish Post
• Friday Flyfishing Post

Somebody in SE Virginia has been spreading my name around, and now it feels like I have a new fan club down there.

We have a couple data centers and projects in the Hampton Roads area (Norfolk, Chesapeake, Hampton) .  They got my name from another one of our data centers that I interact with regularly.

Now I’m getting emails from people I’ve never met before looking for help with this FISMA thing or help with a DR/COOP  proposal.  I even fielded one call about clearances while I was looking for bits of fur at the local flyshop.  I think the more I help them out, the more calls I get from that area.

Which brings up my personal consulting policy.  If it takes up less than 30 minutes or so of my time, I’m always free for a call or email.  Any amount of time over that, you need dedicated help and probably need to contract somebody to do it.

I still get the occasional call from people I taught a year ago asking for help with a particularly tricky problem.  It’s nice to feel needed from time to time. =)

• Being the Resident Curmudgeon
• Even Better Spam
• Some Thoughts on Comments to My Blog…
• In Other News, I’m Saying “Nyet” on S.3474
• Some Thoughts from a Week or so of Being “Proposal B*tch”

Message to vendors:  If you want to break into the Managed Service Provider market, there is one thing extra that you need to do.

Enterprise-class products are reasonably good at being able to support a 3-tier model.  That way you can abstract out everything into  whatever architectural model you want.  Need more database oomph, add some more power at the database tier.  Need to support a remote site, put a data collector out there on the management LAN and just send events back to the central collectors.  This stuff is great.

But when it comes down to MSPs, there is one thing that we need above and beyond what enterprise-class products have.  We need to be able to flag data as belonging to a certain customer.  That way, once events have trickled up to the Single Pane of Glass (TM) that the NOC operators use, we still can tell which environment the event came from.  That requires tagging and the simple ability to have multiple devices on one IP address when clients have address collisions (everybody using 10.0.0.0 comes to mind).

• In This Corner, the Business Reference Model
• Sprinkling on the Magic FISMA Fairy Dust
• A Little Story About a Tool Named #RefRef
• Compensating Controls
• Database Activity Monitoring for the Government

Personnel turnover has to be the bane of life as a contractor in the DC area. As soon as you get somebody hired and trained, they’re out the door, taking the life of the project that they started with them. I think the average is less than a year.

I’m really rare. I’ve worked with the same company for 4.5 years. That’s an eternity in the environment I’m in. Granted I took a “little vacation” to “someplace sunny” in 1994, but still, I came back.

There are a couple of reasons that we have such a high turnover rate in the area:

• The demand is high and the supply of good security people is low. That means that the salaries are going up just as fast.
• Because salaries are so high, there is a very sizeable gap between entry-level positions and the top positions. HR raise formulas don’t compensate for this, so the only way to get a good salary increase year after year is to job-hop.
• Key personnel change at your company? No problem, you can very easily land somewhere more friendly. There isn’t much encouragement to stick around and work out your differences.

Like I say all the time, there are 2 job markets for me as a security professional: DC and the rest of the world.

As for why I’ve been at the same place for over 4 years, well, I hop around from project to project and site to site inside the company. In some ways, I’m letting the staffing burn rate make opportunities for me.

• Backhanded Compliments
• Tangling with the Clearance Monsters
• A Little Advice From Mike and Lee
• Milestones
• Taking a Cue From Hermey the Elf