Introducing the Government’s Great InfoSec Equities Issue

Posted December 9th, 2008 by

Government and information security–it really means two different things, and I’m going to break it down for you “Big Bird Stylie” as something I call the InfoSec Equities Issue.

If you’re like me, you have to be wondering the same things over and over again:

  • Why is is that DHS has perpetually scored low on their FISMA report card and yet they are supposed to be leading the way for cybersecurity for the nation as a whole? (FYI, they got a B+ for FY 2007)
  • How is it that the Government as a whole can have these gianormous data breaches ala the Veterans Administration and yet still claim to know how to help us secure our systems?
  • Does the FTC really expect me to keep a straight face when I read OnGuardOnline?

Well fear not, dear readers, for this is the secret to understanding these conundrums:  they’re actually different issues with a different funding trail.  This budget difference, although a topic we security people shun whenever we can, is insanely critical.

For securing their own internal systems, the Government faces exactly the same problems that most companies have only amplified because of scale–security is a cost center, and cost centers get reduced wherever possible.  Fudiciary responsibility to the taxpayers requires that the agency CISO’s staff do more with less, and that’s not a happy thought if you end up on the wrong side of the security budget equation.

Minimal Security photo by °Florian.

When it comes to security of external systems (and some national-level internal programs), the Government runs these as a program and offered as a service to the nation.  Some typical programs include the following:

It’s one of Washington’s best-kept secrets: being a program manager in the Government means that you get a mission and a bag of money, and your job is to decide where to spend it all.  This is the sweetest job and the one that you want whether it’s in security or any other discipline that you could image is a Government service–health care, law enforcement, or even the infamous “Gub’mint cheese”.

However, all is not peachy for programs.  They can get cancelled based on political will and trends, so if your program ends up non-favorably in the Washington Post, you might end with your bag of money pilfered for other programs.

Heightened Security photo by robmcm.

This concept of divergent funding is all nice and neat except, dear readers, when the issues are not separate–ie, when an internal IT system protected by the internal budget supports a particular program.  For example, consider the following scenarios:

  • Security of vulnerability data at US-CERT (external) that resides on a Government IT system (internal).
  • A financial system (internal) that tracks distributions to welfare recipients (external).
  • A government website (internal) that supports awareness and training on security issues affecting individual citizens such as identity theft (external).

Now this is the concept behind the way Government is supposed to be running security programs:  the internal funds pay for the centralized security and the funded programs pay for any level of security for IT systems that they sponsor.

But several catches:

  • The system owner has to understand how to budget for or ensure that security for their program is budgetted for.  Somewhere in there is an understanding of security risk.
  • The system owner (who in theory has better funding and therefore better security) is dependent upon the centrally-managed security (which in theory has less funding and therefore worse security).
  • Program-specific security comes out of the program, which means that higher security costs means that the program manager can’t spend money on the services they provide, which is where they really want to be spending it.
  • A ton of negotiation is required to figure out responsibilities between the program manager and the CIO/CISO.
  • If the agency takes too much money out of the program budget for security, we run into the same fudiciary responsibility problems in that we’re not managing our money properly.

Similar Posts:

Posted in FISMA, What Doesn't Work, What Works | 7 Comments »

LOLCATS Get Fingerprinted

Posted December 4th, 2008 by

A favorite subject for me this week: personnel security, clearances, and being fingerprinted. For those of you who have yet had the joy of being fingerprinted (a task that we reserve for criminals and people who work with/in the Government), you need to adopt a similar pose to what our lolcat is doing.

Oh yeah, the part that they don’t tell you is that they have cool flatbed scanners that don’t require you to get all inked up, they just have to be approved for use.

funny pictures

Similar Posts:

Posted in IKANHAZFIZMA | No Comments »

The Press has Me all Confused

Posted December 4th, 2008 by

So, what’s the deal?  Have a look through the following articles:

And wow, you would think that either the anti-FISMA cabal was on strike this month.  Even Alan Paller’s comments are toned down.  What gives?

But then again, maybe it’s just all part of the transition honeymoon–if you say things enough times, then eventually somebody picks up on it and recommends it to a committee and then it’s true.

My Bike the Transition Bottlerocket photo by Tom Grundy Photo.

Now at this point I start to get cynical, and here is why.  Everybody agrees that cybersecurity (been working with the Government for too long, I don’t even cringe at the word) is this phenomenally important thing that we all should do something about.  But since it’s a cost, for the most part it never actually happens.

In other words, it’s exactly the same problem that CISOs in private enterprise, the banking industry, and insurance has been dealing with for a “long” time: everybody wants security, but they don’t want to pay for it.

And the last article I have to give y’all today is this one from  Programs and ideas are great and all, but the CISO inside me knows that things won’t get done until there is a budget behind it.  That’s why the National Strategy to Secure Cyberspace hasn’t gone much of anywhere until the standup and subsequent funding of the National Cybersecurity Division and the National Infrastructure Protection Plan (yes, you could argue that they need much more funding than they currently have, but you can’t stand up something that big that fast).

Maybe I’ve come back around to the classic argument: talk is cheap, security isn’t.  And when transition fever comes to the Beltway, everybody has something to talk about.  =)

Similar Posts:

Posted in FISMA, Rants | 2 Comments »

Tangling with the Clearance Monsters

Posted December 2nd, 2008 by

Another pair of client agencies, another pair of clearance forms to fill out….

Want to talk about fraud, waste, and abuse?  I’m in my mid-30’s (not ~85 like Alex and Mortman think I should be) and I’ve gone through the clearance process about 3 times a year since 2002 (and once in 1992 and once in 1996), mostly because each agency insists on having their own clearance requirements.

So let’s look at the economics of managing clearances at the agency level, I figure I’m a pretty average when it comes to this:

  • ~2 days of filling out SF-86 and other clearance forms 16 hours x $150 = $800
  • ~1 day for fingerprinting and corrections 8 hours x $150 = $400
  • Salaries for cleared personnel = +$15K over “market value” (yes, dear readers, that has become the market value)
  • 3 clearance runs/year for contractors $1200 billable hours x 3 times/year = 3600/year
  • All this times a bazillion contractors supporting the Government
  • ~2 months before somebody can actually be given any information that they can actually use to do the job.

The “Who Moved my Personnel Security Cheese?” Problem

This is the real crux of the problem: every agency thinks that they are special–that Commerce has a different level of a need for trustworthy people than Health and Human Services.  We have a phrase for how we’re managing clearances right now: Not Invented Here.

News flash: trustworthy people are trustworthy people and dirtballs are dirtballs.  Honestly, what can the civilian agencies require that trumps  what having a Department of Defense Top Secret clearance can’t?  What we need is an esperanto for clearances.  My opinion is that DoD should trump all, but I’m obviously biased.  =)

Oh, but here’s the keystone to this argument:  all of the clearance processing (forms, background checks, investigations, and fingerprints) is done by the exact same people: Office of Personnel Management (OPM).

Clearance 12 Feet 4 Inches photo by Beige Alert.

Don’t get me wrong, life is not all gloom and doom.  OPM has this wonderful website now with the clearance forms called Electronic Questionnaires for Investigations Processing (e-QIP).  The best part: it remembers your details so you don’t have to fill them out every time.  Clearance paperwork has now become as simple as updating your contact information and job details on a social networking site.  And it does validation of your filing information so that you don’t have a different way of doing things from agency to agency.

Benefits of Centrally-Managed Universal Clearances

Why am I arguing for managing clearances centrally?  Well, I’m both a taxpayer and a contractor.  This is my line of thought:

  • Cheaper because of reduces redundancy (object lesson on the Federal Enterprise Architecture)
  • Reduces “switch costs” for throwing out one contractor in favor of another. (heh, bring me in instead)
  • Quicker onboarding for both govies and contractors
  • More career options for cleared personnel
  • Unified standard of accep
  • Helps us get to one unified Government ID card (ack, HSPD-12)
  • It’s just plain smarter Government!

Deus Ex Barry O?

Oh yeah, it’s Presidential transition time.  This means that everybody with an opinion comes out of the woodwork with their expert analysis on what the Government should do.  While we’re throwing ideas around, I would like to throw my hat in the ring with just a couple:

  1. Appoint an executive-branch CIO and CISO. (already covered that)
  2. Fix the clearance process so that there’s one authoritative set of clearances that apply everywhere.

Problem as I see it is that left to their own devices, the agencies have to “roll their own” because as downstream consumers of OPM, they don’t have a unifying standard.  As much as I hate getting mandates from OMB, this might be one that I’m willing to support.  And yes, I probably crossed some sort of political threshold somewhere along the line….

Similar Posts:

Posted in Rants, What Doesn't Work | 6 Comments »

Next Entries »

Visitor Geolocationing Widget: