FISMA Reporting Guidance for 2008

Posted July 18th, 2008 by

It’s out.  Check it out in the OMB Memo.  I’ll most likely have something pithy to say when I look at it a little bit more, but it looks like it’s mostly the same as last year.

Anyway, you can get it here, it’s OMB Memo 08-21.

Similar Posts:

Posted in FISMA | No Comments »

Friday Subversive Music–The Dead Kennedys

Posted July 18th, 2008 by

It’s even funnier when you know about the Frankenchrist album trial just a couple of years later.

Similar Posts:

Posted in Odds-n-Sods | 3 Comments »

Exhaustive Security Testing is Bad For You

Posted July 17th, 2008 by

Hot on the heels of Security Assessments as Fraud, Waste, and Abuse comes this heartwarming lolcat.

funny pictures

Similar Posts:

Posted in IKANHAZFIZMA | No Comments »

Security Assessments as Fraud, Waste, and Abuse

Posted July 17th, 2008 by

I’m going to put on my Government Security Heretic Hat for awhile here, bear me out.  By my estimate, half of the security assessments received by the Government have some kind of fraud, waste, and abuse.

What makes me say this is the amount of redundancy in some testing that I’ve seen without any value added.

The way to avoid this redundancy is the concept of common/shared controls.  The whole idea is that you take whatever security controls you have across the board and put them into one bucket.  You test that bucket once and then whenever something  shares controls with that bucket, you look at the shared control bucket and make sure that the assessment is still relevant and accurate.

So, what makes a security assessment not fraud, waste, and abuse?  It’s a good assessment if it does the following:

  • Does not repeat a previous assessment.
  • Discovers previously-undiscovered vulnerabilities, weaknesses, or findings.
  • Has findings that get fed into a risk management plan (accepted, avoided, transferred, etc–think POA&M).
  • Is not exhaustive when it doesn’t need to be.
  • Provides value to the project team, system owner, and Authorizing Official to make key decisions.

Now the problem is that the typical auditor has a hard time stopping–they have an ethical obligation to investigate anything that their “professional skepticism” tells them is out of place, just like cops have an ethical obligation to investigate anything that they think is a crime.

The Solution?  Don’t use auditors! The public accounting model that we adopted for information security does not scale the way that we need it to for ST&E, and we need to understand this in order to fix security in the Government.

What we need to be doing is Security Test and Evaluation which is focused on risk, not on compliance using a checklist of control objectives.  Usually if you know enough to say “Wow, your patch management process is whacked, you’re at a high risk!” then that’s enough to stop testing patch management controls.  This is one of the beefs I have with 800-53A in the hands of less-than-clueful people:  they will test until exhaustion.

There isn’t a whole lot of difference between ST&E and an audit, just the purpose.  Audits are by nature confrontational because you’re trying to prove that fraud, waste, and abuse hasn’t occured.  ST&E is helping the project team find things that they haven’t thought of before and eventually get the large problems funded and fixed.

The Little Frauds Songbook

The Little Frauds Harrigan & Hart’s Songs & Sketches Photo by Boston Public Library

Similar Posts:

Posted in FISMA, NIST, Risk Management, What Doesn't Work | 8 Comments »

Learning GovieSpeak: The Plum Book

Posted July 17th, 2008 by

You were thinking this was part of the rainbow series, along with the orange book, the red book, and the fuchsia book, weren’t you?

Well, no, security dweebs, we’re on a public policy kick, probably will be until the end of the year (more on that to follow, stay tuned), so you wouldn’t be so lucky.

The Plum Book’s official title is Government Policy and Supporting Positions and basically it’s a huge staffing chart for the Senior Executive Service–the political appointees.  Congress publishes the Plum Book after each presidential election, so for those of us who remember our civics lessons in high school, that would be every 4 years, and the last one was published in 2004.

In fact, you can see the last edition here.  Caveat:  it’s dry, like the uber-trocken Franken white wine that grows in the fields around where I used to live in Germany–so dry that it sucks the moisture right out of you.

Plum Pickin

Plum Pickin photo by Secret Tenerife

Now why do we care about the Plum Book?  Well, that’s a good question.  Have a look at some of the staffing plans in the plum book, and you’ll see something missing:  Agency CISOs.

Now, I’m not a rocket scientist on org charts, but it seems to me that unless you put CISOs up to where they’re answerable to the agency head, they’re just a cost center inside the IT department with no visibility to the decision-makers.  Once again, we’ve crippled our security staffs like the old-school way of doing things.

On another note, taking a quick straw poll of the agency CISOs that I know, I think about half of them are political appointees, and half of them are GS-15s.  So what’s the difference?

Well, political appointees (SES) are appointed by the President.  They make a better target because they have much more visibility from the higher-ups they are more political in nature.

GS-scale employees are civil service careerists.  Usually these are the guys who have moved up the ranks in the various agencies and know quite a bit of things.

Which is better?  Well, if you want survivability, then GS-scale is the way to go.  If you want to make the most difference, SES is the ticket.

Most of us will never get the choice. =)

Similar Posts:

Posted in Odds-n-Sods, Rants | 3 Comments »

More Security Controls You Won’t See in 800-53: Now in LOLCAT Form!

Posted July 10th, 2008 by

With as much overengineering that people do for low-criticality systems, I’m surprised nobody’s mentioned this idea yet for high-criticality data:  snipers on the roof.  Now that “the cat’s out of the bag”, I figure this will be in the next 800-53 revision.


funny pictures

Similar Posts:

Posted in IKANHAZFIZMA | 1 Comment »

« Previous Entries Next Entries »

Visitor Geolocationing Widget: