FAR: it’s the Federal Acquisition Regulation, and it covers all the buying that the government does.  For contractors, the FAR is a big deal–violate it and you end up blackballed from Government contracts or having to pay back money to your customer, either of which is a very bad thing.

In early August, OMB issued Memo 08-22 (standard .pdf caveat blah blah blah) which gave some of the administratrivia about how they want to manage FDCC–how to report it in your FISMA report, what is and isn’t a desktop, and a rough outline on how to validate your level of compliance.

Now I have mixed feelings about FDCC, you all should know that by now, but I think the Government actually did a decent thing here–they added FDCC (and any other NIST secure configuration checklists) to the FAR.

Check this section of 800-22 out:

On February 28, 2008, revised Part 39 of the Federal Acquisition Regulation (FAR) was published which reads:
PART 39-ACQUISITION OF INFORMATION TECHNOLOGY
1. The authority citation for 48 CFR part 39 continues to read as follows: Authority: 40 U.S.C. 121(c); 10U.S.C. chapter 137; and 42 U.S.C. 2473(c).
2. Amend section 39.101 by revising paragraph (d) to read as follows:
39.101 Policy.
* * * * *

(d) In acquiring information technology, agencies shall include the appropriate IT security policies and requirements, including use of common security configurations available from the NIST’s website at http://checklists.nist.gov. Agency contracting officers should consult with the requiring official to ensure the appropriate standards are incorporated.

Translated into English, what this means is that the NIST configurations checklists are coded into law for Government IT purchases.

This carries a HUGE impact to both the Government and contractors.  For the Government, they just outsourced part of their security to Dell and HP, whether they know it or not.  For the desktop manufacturers, they just signed up to learn how FDCC works if they want some of the Government’s money. 

Remember back in the halcyon days of FDCC when I predicted that one of the critical keys to success for FDCC was to be able to buy OEM desktops with the FDCC images on them.  It’s slowly becoming a reality.

Oh what’s that, you don’t sell desktops?  Well, this applies to all NIST configuration checklists, so as NIST adds to the intellectual property in the checklists program, you get to play too.  Looking at the DISA STIGs as a model, you might end up with a checklist for literally everything.

So as somebody who has no relation to the US Federal Government, you must be asking by now how you can ride the FDCC wave?  Here’s Rybolov’s plan for secure desktop world domination:

• Wait for the government to attain 60-80% FDCC implementation
• Wait for desktops to have an FDCC option for installed OS
• Review your core applications on the FDCC compatibility list
• Adopt FDCC as your desktop hardening standard
• Buy your desktop hardware with the image pre-loaded
• The FDCC configuration rolls uphill to be the default OS that they sell
• ?????
• Profit!

And the Government security trickle-down effect keeps rolling on….

Cynically, you could say that the OMB memos as of late (FDCC, DNSSEC) are very well coached and that OMB doesn’t know anything about IT, much less IT security.  You probably would be right, but seriously, OMB doesn’t get paid to know IT, they get paid to manage and budget, and in this case I see some sound public policy by asking the people who do know what they’re talking about.

While we have on our cynical hats, we might as well give a nod to those FISMA naysayers who have been complaining for years that the law wasn’t technical/specific enough.   Now we have very static checklists and the power to decide what a secure configuration should be has been taken out of the hands of the techies who would know and given to research organizations and bureaucratic organizations who have no vested interest in making your gear work.

Lighthouse From AFAR photo by Kamoteus.

• Comments on SCAP 2008
• No, FISMA Doesn’t Require That, Silly Product Pushers
• Federated Vulnerability Management
• Current Government Security Initiatives
• When the News Breaks, We Fix it…

Signs of the pre-election slowdown are around us, and I’m definitely starting to feel it.

For those of you outside the beltway, it breaks down like this:  people aren’t willing to make any long-term decisions  or start any long-term projects because they will be overruled in a couple of months after the elections and as election platforms meet reality.  Typically this happens once most of the political appointees are in-place, and I have a feeling that early 2009 is going to be much fun, no matter who wins the presidency.

Now when the current president took charge of the executive branch, he issued a 5-point plan called the President’s Management Agenda.  You can check out the PMA on the OMB website.  And yes, E-Government is one of the 5.  You can expect something similar under the new administration.

As a parting shot, you know it’s a slowdown when you see contracts that will be awarded in November but the work doesn’t start until April.  =)

Lame Ducks Frozen in the Ice photo by digitalART2.

• Election Year Follies
• Got Training?
• Privacy Camp DC–April 17th
• An Open Letter to the Next President of the United States
• Learning GovieSpeak: The Plum Book

Our friends at NIST are hosting a SCAP conference and workshop from the 22 to the 25th of September.  Go check it out here.  Registration runs until the 16th.

• NIST Security Automation Conference
• Save a Kitten, Write SCAP Content
• NIST and SCAP; Busting a cap on intruders Part 1
• Wanted: Some SCAP Wranglers
• Special Publication 800-53 Revision 3 Workshop

This super secret security control is from the unpublished control catalog of an agency we would be foolish to name here.  Oh, darn, you talked me into it, the agency is the Director of National Intelligence – Extralegal Ventures to Rectify Information Technology Hacks, Incursions and Numbskulls Gabbing (DNI-EVRYTHING):

PS-1337 PERSONNEL SANITIZATION AND DISPOSAL

Control:
The organization sanitizes information system personnel prior to disposal or release for burial.

Supplemental Guidance:
Sanitization is the process used to remove information from information system personnel such that there is reasonable assurance, in proportion to the confidentiality of the information, that the information cannot be retrieved, recovered or extraordinarily renditioned. Sanitization techniques, including clearing, purging, and destroying personnel information, prevent the disclosure of organizational information to unauthorized individuals when personnel are disposed. The organization uses its discretion on sanitization techniques and procedures for personnel containing information deemed to be in the public domain or publicly releasable, or deemed to have no adverse impact on the organization or individuals if released for reuse or disposed. The Black Operations For the Homeland (BOFH) provides personnel sanitization guidance and maintains a listing of approved sanitization procedures in their publication “Leave No Incriminating Evidence (or Where Jimmy Hoffa Went) Directive and BBQ Cookbook”.

Control Enhancements:
(1) The organization tracks, documents, and verifies personnel sanitization and disposal actions.
(2) The organization periodically tests sanitization equipment and procedures to verify correct performance.
(3) The organization employs personnel sanitizers (‘cleaners’) who bear an uncanny resemblance to either Harvey Keitel or Jean Reno to perform ad hoc personnel sanitization procedures.
(4) Lbh fubhyq arire gehfg EBG13 rapelcgvba be chg lbhe snvgu va pbafcvenpl gurbevrf. (ROT13 Super-Encrypted)

LOW: Not Selected  MOD: PS-1337(1)(2)  HIGH: PS-1337(1)(2)(3)  MAJESTIC12: PS-1337(1)(2)(3)(4)

• Workin’ for the ‘Counters: an Analysis of my Love-Hate Relationship with the CPAs
• Transparency in Government: Just Give us the Data!
• Introducing the NoVa InfoSec Portal
• Communicating the Value of Security Seminar Preview
• Yet More Security Controls You Won’t See in SP 800-53

I like SmartBuy, I’ve talked about it before, it’s a software bulk-purchase program sponsored by GSA. The more types of software products they buy, the better for the people who need to depend on this stuff.

So I’m doing my usual beginning-of-the-week upcoming contracts perusal and something interesting caught my eye:  GSA is looking for “Situational Awareness and Incident Response” (SAIR) software to do a blanket purchase agreement for SmartBuy.

What they mean by SAIR (according to the pre-RFP information) is the following:

• Baseline Configuration Management
• Network Mapping
• Vulnerability Management

Really, think something along the lines of FDCC/SCAP-aware tools to manage IT assets.  Not sure how the incident response piece fits in, but OK, I’ll go along with you here.  Makes sense if you stop and think about it–we have a FDCC mandate from OMB, and now we’re looking for the tools to help with it–I mentioned that FDCC without automation was futile almost 9000 years ago.

I know I have blog readers who make similar software, drop me a message if you need more details.

And for my daily dose of snarkiness:  it’s good to see how GSA has come such a long way in my life from being just the provider of skillcraft pens and simple green.  =)

• Comments on SCAP 2008
• Current Government Security Initiatives
• NIST and SCAP; Busting a cap on intruders Part 1
• Ed Bellis’s Little SCAP Project
• Some Words From a FAR