FISMA: Better if PCI. WTF?

Posted March 31st, 2008 by

That’s why it’s time to reassess what FISMA should measure.  One model worth considering: the audit guide used by the payment card industry.”

Wow, just wow.  I didn’t know what to say for a couple of minutes…

But here goes.

Guys, seriously, the only time that FISMA gets any airtime at all is this time of the year, when all the reports come out.  The rest of the time, nobody cares unless they’re the CISO’s staff in an agency or they’re trying to pitch a product or service to the government.  Yes, I resemble both of those.

Of course, by now the responses to the annual FISMA reports are getting rote:

  • A couple newspaper articles about security in the government sucks.
  • Some blog posts about how since the government can’t get their act together, they shouldn’t tell the rest of us what to do.
  • GAO and OMB testify in front of congress about what the numbers mean.
  • Recursive commentary about how the numbers mean that collecting the numbers is worthless.
  • A formal statement from SANS about how FISMA is failing.
  • Some techno-geeks chiming in that if only the government would do this one thing that they’re a specialist in, that all of their security problems would go away.
  • A plethora of people misunderstand what “that FISMA thing” is, thinking that it’s some report card.
  • Everybody forgets about it all until next year.

Even I’m part of that, being a contractor and all who sells security services.

So where am I headed with all this?  Well, just to point out that there are a ton of people out there who get to play armchair quarterback every March about FISMA and security in the government as a whole.  It’s fun, but we’ll forget about it as soon as it’s tax time.

Similar Posts:

Posted in FISMA, Rants | 3 Comments »

Georgia Modifies and Adopts FISMA Framework

Posted March 28th, 2008 by

Georgia has adopted the NIST IA framework, modified it for local use, and now an executive order requires the gathering and publication of security metrics.

Similar Posts:

Posted in FISMA | 1 Comment »

Ack! With the Mandates!

Posted March 28th, 2008 by

Very nice article at Federal Times about Office of Management and Budget mandates actually interferring with agencies’ ability to provide effective security.  Of course, I think it’s well-written because it says some of the same ideas that I’ve been saying for awhile now.   =) 

So the question is, does OMB “get it” when it comes to information security?  Well, yes and no, and as a rebuttal, should they?

Let’s look at what OMB does.  In fact, go check out their web site, it has a plethora of knowledge.  It has the following mission statement:

“OMB’s predominant mission is to assist the President in overseeing the preparation of the federal budget and to supervise its administration in Executive Branch agencies. In helping to formulate the President’s spending plans, OMB evaluates the effectiveness of agency programs, policies, and procedures, assesses competing funding demands among agencies, and sets funding priorities. OMB ensures that agency reports, rules, testimony, and proposed legislation are consistent with the President’s Budget and with Administration policies.

“In addition, OMB oversees and coordinates the Administration’s procurement, financial management, information, and regulatory policies. In each of these areas, OMB’s role is to help improve administrative management, to develop better performance measures and coordinating mechanisms, and to reduce any unnecessary burdens on the public.

OK, so they are responsible for management, budget, performance, policy, and acquisition.  Hmm, sounds like the business side of the Government.  Yes, they should be in charge of security, but from the perspective of a good CFO:  that is, they know that it’s important because it’s loss reduction, but they don’t necessarily have the expertise on-hand to go into much more depth than that.

Now OMB is in a squeeze, you need to understand their pressures.  On one hand, their job is to assure compliance with all the laws, directives, policies, etc.  On the other hand, their job is to reduce the cost of the Federal budget.  In my world, these ideas are opposed to each other.

Add some political pressure and some serious security incidents into the mix, and you can easily see why OMB has been managing security by mandates and performance metrics (FISMA reporting).  The mandates are policy statements and the metrics are intended to determine how efficiently agencies are executing their compliance.  Thing is, this makes sense in a compliance-budget squeeze.

Now notice I didn’t bring up risk management anywhere in this post until now?  Well, this is where risk management comes in.  At the current burn-rate for IT security spending in the Government, the way to realize efficiencies and cost savings while still meeting the compliance drivers is to use risk management.  I’ll say this again: without risk management, everything becomes equally important and you have neither effective security nor cost-conscious security.

My big question for you is this:  who is performing true risk management for the Government as a whole?

  • It’s not OMB, they just operate as the Government’s CFO
  • It’s definitely not GAO, they’re just a dual-person control to keep the executive branch honest
  • It’s not NIST, they just write standards and guidelines

The answer is this:  agency CISOs.  The problem with them being the highest level of risk management is the following:

  • No sharing of risk with high-level stakeholders (OMB, White House)
  • No sharing of risk with risk partners (Congress)
  • No risk management at the national-level (strategic view)
  • CISOs are given all the responsibility but none of the authority to fix things that really matter
  • We all point fingers at each other when something breaks

So, how do we fix this?  That’s a hard one.  We can train OMB to do risk management.  We can extend Lines of Business so that one agency (*cough* DHS *cough*) adopts national-level risk management.  We can create a new organization that’s responsible for government-wide risk management, but then again that doesn’t make sense.

Similar Posts:

Posted in FISMA, Risk Management, What Doesn't Work | No Comments »

Guilty Pleasures and UR ECONOMEEZ

Posted March 28th, 2008 by

OK, I’ve been a fan of LOLFED for a week now.  I have to admit, I’m probably missing some things because I’m not a CPA.  =)

Similar Posts:

Posted in Odds-n-Sods | 2 Comments »

Speaking Again

Posted March 28th, 2008 by

Potomac Forum is holding a 5-Fridays FISMA Fellows Class in May and June.  Of course, I’ll be speaking/teaching and so will some of the other characters you see on my blog.

Hasty Agenda, you can get more info on the Potomac Forum site:

  • Day 1:  Introduction, Determining Boundaries, Inventory, and Data Criticality
  • Day 2: Controls, 800-53, Security Planning
  • Day 3: Security Test and Evaluation, Risk Management
  • Day 4: The Entire Process of Certification and Accreditation, CPIC, Accreditation Packages
  • Day 5: COOP, Patch Management, and Graduation Ceremony

The one caveat is that it’s open only to Government employees.

Similar Posts:

Posted in FISMA, NIST, Speaking | No Comments »

Wednesday Zombie Post–Zombie Survival And Defense Wiki

Posted March 26th, 2008 by

Feeling like you need to share your zombie knowledge and learn from other enthusiasts?  Check out the Zombie Survival and Defense Wiki.

“The online wiki community for zombie theorists, survivalists, and fans to share their knowledge, survival plans, and ‘experiences.’ Prepare now or rue your disorganization later!”

Similar Posts:

Posted in Zombies | No Comments »

« Previous Entries

Visitor Geolocationing Widget: