OMB Makes it to LOLCAT Fame

Posted May 29th, 2008 by

Love them or hate them, OMB has the unenviable job of setting executive-branch policy through their memos.  Not a place I would ever want to be.

funny pictures

Similar Posts:

Posted in IKANHAZFIZMA | No Comments »

Wednesday Zombie Post–Zombie Reagan

Posted May 28th, 2008 by

 Longing for the good ol’ days, Zombie Reagan proposes reincarnating the big guy himself in order to steer conservatism back on track.

Zombie Ronald Reagan

Similar Posts:

Posted in Zombies | No Comments »

FISMA Report Card News, Formulas, and 3 Myths

Posted May 27th, 2008 by

Ever watch a marathon on TV?  There’s the usual formula for how we lay out the day:

  • History of the marathon and Pheidippides
  • Discussion of the race length and how it was changes so that the Queen could watch the finish
  • World records and what our chances are for making one today
  • Graphics of the race course showing the key hills and the “sprint to the finish”
  • Talk about the womens’ marathon including Joan Benoit and Kathrine Switzer
  • Description of energy depletion and “The Wall”
  • Stats as the leaders hit the finsh line
  • Shots of “back-of-the-pack” runners and the race against yourself

Well, I now present to you the formula for FISMA Report Cards:

  • Paragraph about how agencies are failing to secure their data, the report card says so
  • History and trending of the report card
  • Discussion on changing FISMA
  • Quote from Karen Evans
  • Quote from Alan Paller about how FISMA is a failure and checklist-driven security
  • Wondering when the government will get their act together

Have a read of Dancho’s response to the FISMA Report Card.  Pretty typical writing formula that you’ll see from journalists.  I won’t even comment on the “FISMA compliance” title.  Oh wait, I just did.  =)

Some myths about FISMA in particular that I need to dispell right now:

  1. FISMA is a report card:  It’s a law, the grades are just an awareness campaign.  In fact, the whole series of NIST Special Publications are just implementation techniques–they are guidance after all.  Usually the media and bloggers talk about what FISMA measures and um, well, it doesn’t measure anything, it just requires that agencies have security programs based on a short list of criteria such as security planning, contingency planning, and security testing.  It just goes back to the adage that nobody really knows what FISMA is.
  2. FISMA needs to be changed:  As a law, FISMA is exactly where it needs to be.  Yes, Congress does have talks about modifying FISMA, but not much has come of it because what they eventually discover after much debate and sword-waving is that FISMA is the way to write the law about security, the problem is with the execution at all levels–OMB, GAO, and the agencies–and typically across organizational boundaries and competing master agendas.
  3. There is a viable alternative framework:  Dancho points out this framework in his post which is really an auditors’ plugin to the existing NIST Framework for FISMA.  Thing is, nobody has a viable alternative framework because it’s still going to be the same people with the same training executing in the same environment.

Urban Myth: Cellular Phones Cause Gas Fires

Urban Cell-Phone Fire Myth photo by richardmasoner.  This myth is dispelled at

Way back last year I wrote a blog post about indicator species and how we’re expecting the metrics to go up based on our continual measuring of them.  Every couple of months I go back and review it to see if it’s still relevant.  And the answer this week is “yes”.

Now I’ve been thinking and talking probably too much about FISMA and the grades over the past couple of years, so occassionally I come to conclusions .  According to Mr Vlad the Impaler, the report card is a bad idea, but I’m slowly beginning to see the wisdom of it:  it’s an opportunity to have a debate and to raise some awareness of Government security outside of those of us who do it.  The only other time that we have a public debate about security is after a serious data breach, and that’s not a happy time.

I just wish the media would stop with the story line that FISMA is failing because the grades provide recursive evidence of it.

Similar Posts:

Posted in FISMA, NIST, What Doesn't Work, What Works | 9 Comments »

Cyber Command Goes LOLCATS

Posted May 22nd, 2008 by

USAF Cyber Command:  We don’t know what our mission is, much less our organization or where we’re going to find lots of smart geeks who don’t mind being E-1s.  We have some really good commercials, though.  =)

But hey, that’s why it’s still “Provisional”.

funny pictures

Similar Posts:

Posted in IKANHAZFIZMA | 2 Comments »

Wednesday Zombie Post–Nerd Zombies

Posted May 21st, 2008 by

Fantastic cartoon strip and maybe a future movie at

“If vulcans are driven solely by logic, how come T’Pol has a boob job?”

Similar Posts:

Posted in Zombies | 2 Comments »

FISMA Report Cards Issued–Response is Rote by Now

Posted May 21st, 2008 by

Yay, FISMA report card for 2007 has been issued.  You can go check it out here.  I can’t believe it, but DHS scored a “B” against all odds. =)

And of course, by now the response to the report card is all rote–everybody wonders what the letters really mean:

Yeah, yeah, I guess it just goes to prove what we say about the classified world: the people who know don’t talk and the people who talk don’t know.  In this case, everybody attacks the metric because, well, it’s a bad metric–what action are we supposed to take because of what the results are?  It’s also pretty much ignored by this point anyway except for the witty sound bites from some of my “favorite people”, so it’s nothing to get all hot and bothered about.  The GAO and OMB reports that I’ve covered in much detail are much better and have a pretty decent level of analysis.

But fer chrissakes, the report card is issued by Congress, how much detail do you think it will ever contain?  =)

My rapidly expanding queue of pet peeves about this time of the year:

  • People who think that FISMA is just a report card and that we should re-examine how we measure security:  the grades are not even required by the law, it’s just technique and we can change that easily enough.
  • People who criticize but do not offer an alternative:  even if you had an alternative plan, the environment for execution still involves the same IT assets and the same front-line employees.
  • People who don’t understand enterprise-wide security much less a federation of semi-independent enterprises: it’s the nature of government-wide security metrics that they’ll be indicators which can be faked.
  • Sound bites from people who have never implemented any aspect of FISMA:  come on, SANS and Gartner?  GAO and the Cyber Security Industry Alliance are a little bit better but taken out of context.
  • Nobody ever asks me for a quote on FISMA numminess:  I’ll be pouting for the rest of the week, TYVM.  =)

Not that I’m the world’s best expert at fact-checking, but something caught my eye in the report:  it’s issued by Tom Davis and the url is from the Minority Office for the House Committee on Oversight and Government Reform.  Tom Davis is the representative from Northern Virginia and is the sponsor for FISMA back when it was signed.  Until the last election, he was the chairman of the House Committee on Oversight and Government Reform.  The committee is now chaired by Henry Waxman

Time for a new concept in your vocabulary:  LGOPP (OK, actually it’s LGOP, but I added an extra “P” for comedy purposes).  Imagine June 6th, 1944, paratroopers scattered all over the French countryside.  What happens is you pick up the people around you, the senior person becomes the leader, and you carry out the mission.

Paratrooper Stained Glass Window

Photo of Paratrooper Stained Glass in Sainte Mère Église by Nelson Minar

Hence the true meaning of LGOPP: Little Groups of P*ssed-off Paratroopers.  An equivalent phrase is “isolated pockets of brilliance”.

In the words of somebody I went off to war with:  “LGOPPS are the spirit of the infantry:  a handfull of 18- and 19-year-olds with fully automatic weapons who can barely remember what their mission is running around the woods raising hell”.

Now, I know you guys, you’re wondering what this has to do with security?  Well, this is relevant because it’s an election year.  What that means is that instead of being bothered with all this security stuff, Congress is involved in playing “gotcha” with the Executive branch.  After the election, it’s rearranging deck chairs on the Titanic and all of the leadership will change.

Instead of any national-level security agendas and strategizing, we’ll have to be content with security LGOPPs fighting the fight wherever they end up gaining enough critical mass.

And in the case of this year’s FISMA report card, the LGOPP that is Tom Davis’s staffers issued the report while the rest of the committee was busy worrying about elections.

Similar Posts:

Posted in FISMA | 5 Comments »

« Previous Entries

Visitor Geolocationing Widget: