I taught a 2-day seminar yesterday and the day before on Certification and Accreditation (NIST SP 800-37). It’s fun but tiring, and yesterday I definitely got worked pretty hard, teaching 800-53, 800-53A, and C&A in the SDLC
I like to teach because I always learn when I do it. But then again, I learn when I blog, too.
Anyway, revelations from yesterday, and things that I don’t really have an answer to yet:
#1 We need a better tool than a POA&M because we’re trying to use them in 2 different ways. For those of you who don’t govorit’ govie, a POA&M is a “Plan of Actions and Milestones”, what you in the civilian world would call an action items list, a punch-list, or even a list of vulnerabilities. The problem is that we’re trying to use the POA&M both as a short-term tasklist and as a long-term strategic planning tool. I need to be able to do both, and I’m not sure if one POA&M list is the end-all be-all. What I really need is 2 lists, one with a 30-60-90-day scope that is the ISSO/Project Team’s view, and one that is a long-term 1-2-5-year scope to mitigate programatic, enterprise-wide vulnerabilities that require CapEx or other investment such as standing up a secondary data center to support DR/COOP/BCP/$FooFlavorOfTheMonth.
#2 We have 2 conflicting purposes in information security in Government. One is presenting a zero-defects face to the world. The other is being able to freely discuss problems so that we can get them fixed. Understanding the dynamics between these 2 competing ideas is understanding why the Government succeeds in some areas and fails in others. To be bluntfully honest, I don’t think that as a profession, security people have a good, valid model to deal with this conflict, and until we do, we will have a significant cultural obstacle to go around.
#3 As a government (and as an industry), we are good at the tactical level and fairly good at the operational level, but where we need peoples’ thought-power to go is towards the strategic level. This is my big heartburn about FISMA report cards: what we should be doing is to collect Government-wide metrics in order to answer questions that we need to understand before we make strategic decisions. As it is right now, our strategic moves are ad-hoc and consist mostly of trying to upscale some good security concepts (FDCC, limiting Internet connections, etc) into something that might or might not work at such a huge, megalithic scale.
#4 We’ve bought into the fact that CISOs work for the CIO. This is old-school stylie and I’m not convinced that this is the way to do it. If you look at the security controls in SP 800-53, there are activities entirely out of scope of the IT department. Usually these involve gates, guards, and guns; personnel security; and facilities management. For the time being, the official response is that “well, the CISO has to work with the people in charge of those areas to get their job done” and I’m thinking that maybe we’ve done a disservice to the senior security officer in our agencies by not having them report directly to the agency head. Maybe we need true CSOs to take care of the non-IT security aspects and a CISO to take care of the geekspace.
The funny thing to me is that some of our students come in expecting to get spoon-fed information on the one true way to do C&A, and what most of them walk away with is ideas for thought on what are the strengths and weaknesses to how we do business as Government information security people and how do we make it better.
The last thing that I noticed yesterday after all the classes were over: we taught a C&A class and did not have a dedicated session on what a System Security Plan is and how to write one. Deep down inside, I like this, because if you do the right things security-wise, you’ll find that the SSP practically writes itself. =)