FedRAMP: It’s Here but Not Yet Here

Posted December 12th, 2011 by

Contrary to what you might hear this week in the trade press, FedRAMP is not fully unveiled although there was some much-awaited progress. There was a memo that came out from the administration (PDF caveat).  Basically what it does is lay down the authority and responsibility for the Program Management Office and set some timelines.  This is good, and we needed it a year and a half ago.

However, people need to stop talking about how FedRAMP has solved all their problems because the entire program isn’t here yet.  Until you have a process document and a catalog of controls to evaluate, you don’t know how the program is going to help or hinder you, so all the press about it is speculation.

Similar Posts:

Posted in DISA, FISMA, NIST, Outsourcing, Risk Management | No Comments »

Clouds, FISMA, and the Lawyers

Posted April 26th, 2011 by

Interesting blog post on Microsoft’s TechNet, but the real gem is the case filing and summary from the DoJ (usual .pdf caveat applies).  Basically the Reader’s Digest Condensed Version is that the Department of Interior awarded a cloud services contract to Microsoft for email.  The award was protested by Google for a wide variety of reasons, you can go read the full thing for all the whinging.

But this is the interesting thing to me even though it’s mostly tangential to the award protest:

  • Google has an ATO under SP 800-37 from GSA for its Google Apps Premiere.
  • Google represents Google Apps for Government as having an ATO which, even though 99% of the security controls could be the same, is inaccurate as presented.
  • DOI rejected Google’s cloud because it had state and local (sidenote: does this include tribes?) tenants which might not have the same level of “security astuteness” as DOI.  Basically what they’re saying here is that if one of the tenants on Google’s cloud doesn’t know how to secure their data, it affects all the tenants.

So this is where I start thinking.  I thunk until my thinker was sore, and these are the conclusions I came to:

  • There is no such thing as “FISMA Certification”, there is a risk acceptance process for each cloud tenant.  Cloud providers make assertions of what common controls that they have built across all
  • Most people don’t understand what FISMA really means.  This is no shocker.
  • For the purposes of this award protest, the security bits do not matter because
  • This could all be solved in the wonk way by Google getting an ATO on their entire infrastructure and then no matter what product offerings they add on top of it, they just have to roll it into the “Master ATO”.
  • Even if the cloud infrastructure has an ATO, you still have to authorize the implementation on top of it given the types of data and the implementation details of your particular slice of that cloud.

And then there’s the “back story” consisting of the Cobell case and how Interior was disconnected from the Internet several times and for several years.  The Rybolov interpretation is that if Google’s government cloud potentially has tribes as a tenant, it increases the risk (both data security and just plain politically) to Interior beyond what they are willing to accept.

Obligatory Cloud photo by jonicdao.

Similar Posts:

Posted in FISMA, NIST, Outsourcing | 2 Comments »

FedRAMP is Officially Out

Posted November 3rd, 2010 by

Go check it out.  The project management folks have been jokingly grilled over numerous times for being ~2-3 months late.

However, comments are being accepted until December 2nd.  Do yourselves a favor and submit some comments.

Similar Posts:

Posted in FISMA, NIST | 2 Comments »

Traffic Analysis and Rebuilding C&A

Posted August 17th, 2010 by

For some reason, “Rebuilding C&A” has been a perennial traffic magnet for me for a year or so now.  Seeing how that particular post was written in 2007, I find this an interesting stat.  Maybe I hit all the SEO terms right.  Or maybe the zeitgeist of the Information Assurance community is how to do it right.  Anyway, if you’re in Government and information security, it might be worthwhile to check out this old nugget of wisdom from yesteryear.

Similar Posts:

Posted in FISMA, NIST, The Guerilla CISO | No Comments »

Split-Horizon Assessments and the Oversight Effect

Posted July 7th, 2010 by

Going Off the Deep End

So I was thinking the other day (this is the part where people who know me in person usually go “oh cr*p”), partially spurred by a conversation I had with @csoandy and @secbarbie a couple of months ago.  I’ll get the idea out there: as an industry we need to embrace the concept of split-horizon assessments.

Two Purposes for Assessments

Because this is an insane approach that I’m just feeling out, let me go on a solo riff and explain what I’m talking about.  You see, I have two distinct purposes for getting a security assessment, both of which are in contention with each other:

  • I want to fix my security by asking for money to fix the things that need attention.  When I get an assessment for this purpose, enumeration of my badness/suckness is good.  If I have a set of results that say that everything is great, then there’s no need for me to be given any more resources (time, money, people, gear).  Short-term, I’m fine, but what about my infrastructure-type long-term projects?  The net effect of a highly-scored annual assessment just might kill my program in 2 years as my funding and people are shifted elsewhere, especially in a .
  • I want to keep my job and help my {company|agency|group} stay out of trouble by showing my zero-defects face and by demonstrating my due-diligence in protecting what has been given to me.  While the assessor has helped me short-term by identifying my problems and being a total hardass, if I’m not around in 6 months to adopt the recommendations into my security program, has the assessor actually helped me?

And this is the dilemma for just about every security manager out there.  One of the strategies is to alternate assessment types, but then your management wonder just what the heck it is you’re doing because you’re on top one year, then on the bottom the next.

Split Rock Lighthouse and Horizon photo by puliarf.

Assessor Window-Shopping

Now for the dirty little secret of the testing business:  there are really good testers who are the ninjas of the InfoSec world and there are really bad testers who don’t even validate their unlicensed Nessus scan.  I know, you’re shocked and it’s so blindingly obvious that Bruce Schneier will blog it 3 years from now.  =)

But there’s the part that you didn’t know:  security managers pick their assessor depending on the political mood inside their organization.  This is nowhere near a science, from what I’ve seen it involves a lot of navel-gazing on the part of the security team to see which is the lesser evil: having everybody think you’re incompetent or never getting anything new ever again?

Building a Better Rat Race

In order to accomplish both of the goals that I’ve listed, what I really need is a split-horizon assessment.  In other words, I need 2 reports from one assessment with different views for different audiences.  I know this sounds highly cynical, but it’s something we’ve been doing for some time now but just informally.  Might as well make it formal.

So are you sold on this concept yet?  In true form, I have an idea on how to get to a world of split-horizon assessments.  You can take any catalog of controls and divide it into “gotta have it” and “nice to have” (I almost divide these along the lines of “vulnerability mitigation” and “sustainable security program” or the “CISO” and “OMB and Congress”) buckets.  Then in your compliance assessment standard, require 2 reports for each assessment.  One is reported to the regulating authority and the other stays with the organization.

Indecision Strikes

I don’t know if I’ve solved the problemspace or not, but I’m looking for feedback “from the Peanut Gallery” so leave some comments.

Similar Posts:

Posted in Rants, What Doesn't Work, What Works | 7 Comments »

A Funnier Thing Happened on the WAY to Capitol Hill

Posted June 15th, 2010 by

Since I never get to see Vlad the Impaler enough in real life I was pleased to see his recent blog post, “Machines Don’t Cause Risk, People Do!”. It reminded me of fact that security professionals must have so-called people skills as well as a keen insight into the dynamics and group psychology of organizations in order to be effective.

As is true for technological solutions, security controls and security policy must also be subject to the concepts and process found in life-cycle methodologies. As security professionals we must be constantly aware of these cycles as in some cases this means that controls and policies can outlive their usefulness. In other cases it means that security policies, concepts, and policies can evolve or mutate until they are no longer viable or meaningful.

It is the later phenomena that that caught my attention recently. But, first let me set the stage…

A Tragic History

Back in 1983 the American people were made aware of the concept of a truck bomb in a dramatic and tragic fashion. In late October of that year, truck bombers attacked the compounds housing U.S. and French peacekeepers in Lebanon. The loss of life was shocking.

In the aftermath of this tragedy there was a great deal of political finger pointing. Notably, security professionals had expressed concerns about the vulnerability of the deployment and had made several recommendations to improve the security of the facility. Some of the recommendations were followed, others that would have greatly mitigated the against the damage and loss of life in the subsequent attack were not implemented. In addition, security professionals were also asked to rise above all of the politics and examine the situation from a, “lessons-learned” perspective and develop generally applicable counter-measures. One obvious and immediate response was the introduction of the bollards or jersey barriers around public and government buildings. While experts agreed that this wasn’t a complete solution to the problem of the vehicular bomb, it was and still is seen as a useful and essential tool.

Two criticisms to the use of these physical barriers were quickly voiced. The first criticism focused on the aesthetics of these barriers. Critics correctly pointed out that the barriers that were initially introduced were ugly and made public building buildings and spaces protected by these barriers take on an unfriendly fortress-like appearance. After a time the response to this was the introduction of barriers that were masqueraded as sculpture, large planter boxes and even seats or benches.

The second criticism focused on the fact that many public building and spaces were constructed in such a fashion such that it was difficult, expensive, and in some cases even impossible to effectively employ these barriers. A common problem noted was that building was often constructed with little or no “set-back” between the building and streets. This meant that there is no meaningful way in which to erect barriers at a sufficient distance from the building in question to afford it any meaningful protection.

Within the limits of always constrained budgets, the Federal government began erecting vehicular barriers all over the country and even overseas. The government also began a program that developed a risk and vulnerability assessment or classification of all Federal facilities and buildings.

History Repeats Itself With a New Twist

Ten years later, the US was horrified again by the bombing of Federal Building in Oklahoma City. While the bombing and loss of life was a terrible tragedy in the truest sense of the word, the similarities of this incident to the 1983 incident made it all that much more painful. The fact that the Oklahoma City tragedy took place domestically and resulted from entirely domestic terrorist plotters made the situation even more sobering.

Even worse, because the above mentioned security assessment classified the Oklahoma City Federal Building as being a relatively low risk facility. There were two significant consequences to this security assessment/classification. The first was that the use of extensive anti-vehicle barriers or bollards were seen as being unnecessary. The second was that the building was seen as safe enough that a day care facility was approved for the building. This decision added an additional element of heartbreak to the general feeling of horror and grief in response to the bombing.

A Thoughtful Response

In the aftermath of this terrible act the Federal government develop a rather extensive set of building specification that were required in all new construction. When implemented, these specifications greatly increase a building ability to resist a similar attack. Moreover, this risk-based specification focuses considerable attention on reducing the risks to the people in the building. For example, protective films are required for all windows, thus reducing the risks from flying fragmented glass.

Because of the extended thought that went into this specification, many of the technologies and approached embraced in the specification are also available as affordable retrofits to existing building. This is especially useful in the case of leased building or office space.

Having had an opportunity to work with these codes and specification, my impression is that there is a good deal of sound thinking behind these measures. Moreover, these specifications are constantly reviewed and updated taking into account the latest threats and the technical developments.

Security Meets the Street

A few weeks ago I was walking down Pennsylvania Avenue, in Washington D.C. I was a beautiful day and I was just a few blocks from the White House. I was a little surprised when I saw one of bollards that I mentioned earlier. The bollard itself isn’t all that surprising; they are a pretty common site around the nations’ capital. The fact that this particular barrier was masquerading as a planter box for a small tree was also not all that unusual. However, the barrier was damaged.. At a casual glace a damaged bollard also isn’t all that unusual a sight either. But, with a quick glance at this bollard something in the back of my mind whispered that there was something odd about this barrier. I looked at the damaged area and noticed that the bollard was filled with Styrofoam. That seemed odd enough to catch my attention and motivated me to investigate a bit further.

The first thing I did was to take a quick snap-shot of the bollard (see below). I can’t say it’s likely that I will ever will a Pulitzer Prize for photo journalism, but if you examine my snapshot closely you can clearly identify the Styrofoam grains in the damaged section photographed. I also had a bit of luck. Just as I was looking at the barrier one the incredibility efficient and effective D.C. Parking Enforcement Offices just happened by plying their trade. I asked them I they were aware of what happened to the barrier in question. I was in luck; the officer was an eye-witness to a minor fender bender in which the bollard was damaged. I pointed out the foam filling and asked if what the point of the foam was. She informed me that the barriers had to be moved all the time. Older planter boxes were constructed from solid poured cement or aggregate but, they were heavy and difficult to move. So, in response to this problem, they introduced the “improved” lighter weight barriers. I pointed out that it didn’t seem to be very durable and therefore didn’t seem to be a very effective barrier to a vehicle driven by a determined individual. She laughed and shared with me they were so fragile that the crews that moved them often damaged or destroyed them just by moving them.

Concrete and Styrofoam

Styrofoam in Concrete Barrier photo by Ian.

I guess at that point my incredulous look was obvious on my face and the officer responded to my unasked question by say, “I just write tickets; have a nice day!”


Perhaps I’m over-reacting to what I saw and heard. However, this seems to be a good example of how an essential security control can be compromised for reasons completely unrelated to security. In this case, it isn’t clear what the role of the security professionals involved in this process was. They could have fought the weakening of this security control to the limits of their ability. It is also possible that the warning of the security-types were lost in the shuffle between the various Federal and city jurisdictions involved in this situation. Convenience and practicality are often the enemy of security policy and security implementation. On the surface of it, this seems to be a good case study making that point.

This is perhaps an example of one of the most difficult and frustrating aspects of the responsibilities of the security community — especially for security leaders. We must hold the line and do the right thing. We will never be thanked for it. And, we constantly risk having our jobs or reputations put at risk for doing the right thing and fighting the good fight. But, it is important to remember that the consequences of ignoring this responsibility are even larger and potentially graver that job security. I know that Vlad is a hard-nosed security professional who will not compromise. If he is over-ruled, and that happens, he still sleeps well at night.

Similar Posts:

Posted in Risk Management, What Doesn't Work, What Works | 2 Comments »

« Previous Entries

Visitor Geolocationing Widget: