Observations on SP 800-37R1

Posted March 29th, 2010 by

So by now NIST SP 800-37 R1 has made the rounds.  I want to take a couple of minutes to go over my theory on this update.

Summary of changes:

  • Certification is gone.  Accreditation has now changed to “Authorization”.  This is interesting to me because it removes certification which I’ve always equated with compliance.
  • There is more focus on continuous monitoring.
  • NIST has made it more obvious that the process in 800-37 is the security aspects of a SDLC.
  • There is much more more emphasis on enterprise-level controls.

So those of you out there who have been succeeding with the NIST Risk Management Framework  have been doing this all along, and it’s actually why you’ve succeeded.  For the rest of you, if you have to change your existing process, you’ve been doing it wrong.

Now for what’s missing and where you need to fill in the gaps:

  • Prioritization of controls.  If everything is important, nothing is important.  You have to be able to determine which controls you need to succeed 100% of the time and which controls only need 75% reliability.  Hey, I even give credit to the SANS 20 Critical Security Controls, as flawed as they are, for this.
  • Delineation of controls into shared/common, hybrid, and system-specific.  This is by design, it’s up to the departments and agencies to figure this out.  If you do this correctly, you save a ton of time and effort.  I remember the day my certifier told me that we didn’t recognize shared controls and that it was on me to provide evidence of controls that were provided at the enterprise–it still baffles me how you really expect one person on a project team to have the resources of the entire IT security staff.
  • Continuous monitoring is up to you.  Along with prioritization, you have to determine which controls you need to monitor and a plan on how to do that.  Protip: these are usually technical controls that you can automate and should do so because it’s the only way to get the job done.
  • Tailor, tailor, tailor.  It is not enough to use generic 800-53 controls.  It definitely is sub-par to use untailored 800-53A test procedures as your test plan.  These all depend on the implementation and need to be tailored to fit.

And finally, a shout-out to Dan Philpott at FISMAPedia.org.  Dan literally consumes new legislation, regulation, guidelines, and standards as they come out and annotates them with a wealth of analysis.

Wordle of NIST SP 800-37R1

800-37 WordCloud by ME! Thanks to wordle.net for the tool to make it.

Similar Posts:

Posted in FISMA, NIST, What Doesn't Work, What Works | 3 Comments »

Rybolov is Dead, Long Live Rybolov

Posted March 28th, 2010 by

OK, so now for some news about me if you haven’t seen it on twitter (You’re a security geek not on twitter?  Check out the Cool Kids Club and get involved).  Earlier this month I changed jobs and am now the Security Evangelist for Akamai–basically telling the story of our security team and the platform and what we do right.  I’m still doing some Federal business but I’ve also picked up responsibility for commercial customers.  And yes, I’ve slowed down on the antics a bit to let the dust settle.

In other news, My Favorite Govie and I are back to teaching our Public Policy and Information Security class for CMU.  Much has changed in the time since we started the class a year and a half ago:

  • The 60-Day Review was completed and finally released.  Thanks to Melissa Hathaway for the hours she put into this, now let’s get the calls-to-action done.
  • The President actually had a press conference about IT security.  Now how to convert that attitude to something actionable.
  • We finally have a Cybersecurity Coordinator.  Go Howard!  I think the biggest thing that he will accomplish is to scope his job and build his authority.
  • Verizon released their newer, badder, and stronger Data Breach Investigation Report.  Like it or not, they’re still the only people releasing data.

And then some things have stayed the same:

  • We’re still wasting half of the Government’s security spending, we just can’t figure out which half.
  • The Government’s InfoSec metrics still suck.
  • FISMA hasn’t died.
  • SANS still reminds us that FISMA is failing.  =)

Similar Posts:

Posted in The Guerilla CISO | 2 Comments »

The InfoSec D-List and IKANHAZFIZMA

Posted March 3rd, 2010 by

Andrew Hay, aside from being an all-around handsome guy, talked on Tuesday at B-Sides San Francisco about his life on the Information Security D-List.  Bill Brenner picked it up for CSO-Online and now it’s preserved for posterity.  Andrew’s been interviewing D-Listers and blogging the interviews.  They’re awesome inspiration if you’re one of the unsung heroes who go to work, grapple with the compliance hydra or the security operations tarpit all day, and go home to some conference videos so you can learn new skills and move on to the next project.  Yeah, I’m a D-Lister just like you folks, and I have tons of love and respect for all of you.

bware teh a-list kittehs

Similar Posts:

Posted in IKANHAZFIZMA | No Comments »

Visitor Geolocationing Widget: