If you're new here and would like to see more of what I'm saying, you may want to subscribe to my RSS feed (I can even email my blog posts to you when I publish a new one) or have a look at my papers and presentations page for downloads of stuff that you can share or "borrow heavily from". You also might find my guidelines for posting comments interesting, especially if you're a government employee. If you want to see me blog about anything in particular, drop me a private email on how you think I'm completely full of myself, extend me an invitation to speak at your next security meeting/event, or just to ship a huge bag of money in my direction, you can do that through my contact page. Thanks for visiting and happy hacking!

Federal Computer Week: Senate Panel Rejects Weakening S 3474

Gene Schultz: Goodbye FISMA (as We Know It)

Let’s talk through the FCW article first, shall we?   =)

“The measure would amend the original FISMA legislation, which outlined compliance activities for agencies to meet each year. However, many agencies have turned FISMA compliance into a paperwork exercise, Carper said.”

Um, no, I don’t get that.  The original FISMA is an information security management law, this law mostly formalizes the role, responsibility, and authority of the CISO.  They intentionally named it FISMA 2008 to make people think that it was ammending the original FISMA, but it doesn’t do that.

Don’t believe the hype, this will not change the original FISMA, it’s just an addition.

“Carper said CIOs primarily develop and oversee policy, but the CISO handles the daily information security activities. He suggested that a CISO council could have a sunset date of two or three years. If the council demonstrated benefits, it could be extended, Carper said.”

OK, fair enough on the cost and coordination, but what the CISO council objectionists don’t understand is that the CIOs don’t know all of the nuts and bolts of security, that’s why we have CISO as a mandatory position in this bill–so that the CIO has a subject-matter-expert to help them out.  Yes, it’s that specialized as a profession.

Now for Gene Schultz:

“First and foremost, to comply with this statute involves generating huge amounts of paperwork to document actions (or lack thereof) taken to address the many areas that FISMA describes. A completely ineffective security practice can get high FISMA marks, as has happened numerous times before.”

OK, this is a little lesson on FISMA paperwork:  people are doing 4x what they should be doing for the following reasons:

• The people doing the writing do not know what they are actually doing
• The agency’s security program is not mature enough to have shared/common controls
• In the world of auditors, if it’s not written down, it doesn’t exist
• CYA purposes–I told you this was a risk

So you think you’re going to do any better with any other framework/law and the same people executing it?

“Two US Senators, Joseph Lieberman of Connecticut and Tom Carper of Delaware, have recently introduced a Senate bill that would render the 2002 version of FISMA obsolete.”

No, to be bluntfully honest, the old version of FISMA will still be around.  Somebody’s been drinking the kool-aid from the lawmakers and the press machine.  If anything, this adds more junk that you can get audited on and an additional layer of paperwork to demonstrate that you have met the provisions of FISMA 2008.

Post No Bills photo by striatic.

Note to our nation’s Lawmakers: as long as you approach information security from the compliance angle, we as a government are doomed to failure and to turn the entire thing into the checklist activity because the people who evaluate compliance are auditors who only know checklists–it’s not a law problem, it’s a people and skills problem.

This bill is actually pretty good with the exception of divorcing the mission owners from the security of the systems that support their mission.

However, if you think that you can reduce the compliance trap by adding more things that will end up on a compliance checklist, you have to be kidding yourself or you don’t understand the auditor mentality.

I keep reconvincing myself that the only way the government can win at security is to promote programs to develop people with security skills.  Of course, that isn’t as sexy as throwing out a bill that you can claim will make FISMA obsolete.

And finally, for those of you playing along at home, the Thomas entry for S 3474, the bill’s page on Washington Watch and the bill’s page on GovTrack.

Bookmark to:

Hide Sites

First, some links:

• Washington Technology
• Federal News Radio
• Federal Computer Week
• The RFI on FEDBIZOPS

Synopsis: DoD wants to know how its system integrators protect the “Controlled Unclassified Information” that they give them.  Hmm, sounds like the fun posts I’ve done about NISPOM, SBU and my data types as a managed service provider.

This RFI is interesting to me because basically what the Government is doing is collecting “best practices” on how contractors are protecting non-classified data and then they’ll see what is reasonable.

Faustian Contract photo by skinny bunny.

However, looking at the problem, I don’t see this as much of a safeguards issue as I do a contracts issue.  Contractors want to do the right thing, it’s just that they can’t decide if security is which of these things:

• A service that they should include as part of the work breakdown structure in proposals.  This is good, but can be a problem if you want to keep the solution cheap and drop the security services from the project because the RFP/SOW doesn’t specify what exactly the Government wants by way of security.
• A cost of doing business that they should reduce as much as possible.  For system integrators, this is key:  perform scope management to keep the Government from bleeding you dry with stupid security managers who don’t understand compensating controls.  Problem with this approach is that the Government won’t get all of what they need because the paranoia level is set by the contractor who wants to save money.

Well, the answer is that security is a little bit of both, but most of all it’s a customer care issue.  The Government wants security, and you want to give it to them in the flavor that they want, but you’re still not a dotorg–you want to get compensated for what you do provide and still make a profit of some sort.

Guess what?  It takes cooperation between the Government and its contractors.  This “Contractor must be compliant with FISMA and NIST Guidelines” paragraph just doesn’t cut it anymore, and what DoD is doing is to research how its contractors are doing their security piece.  Pretty good idea once you think about it.

Now I’m not the sharpest bear in the forest, but it would occur to me that we need this to happen in the civilian agencies, too.  Odds are they’ll just straphang on the DoD efforts. =)

Bookmark to:

Hide Sites

Article from William Jackson in Government Computer News:  Security policies remain a burden to federal IT managers, but they are producing results.

First off, GCN, come into the modern Web 2.0 era by letting people comment on your articles or at least allow trackbacks.  Having said that, let’s look at some of Mr Jackson’s points:

• NIST Special Publications: They’re good.  They’re free.  The only problem is that they’re burying us in them.  And oh yeah, SP 800-53A is finally final.
• Security and Vendors/Contractors:  It’s much harder than you might think.  If there’s interest, I’ll put out some presentations on it in my “copious amounts of free time”.  In the meantime, check out what I’ve said so far about outsourcing.
• Documentation and Paperwork:  Sadly, this is a fact of life for the Government.  The primary problem is the layers of oversight that the system owner and ISSO have.  When you are as heavily audited as the executive branch is, you tend to avoid risks and overdocument.  My personal theory is that the reason is insistence on compliance instead of risk management.
• Revising FISMA:  I’ve said it time and time again, the law is good and doesn’t need to be changed, the execution is the part that needs work.

Bookmark to:

Hide Sites

Dear NIST People,

I have this semi-random digital scribbling thingie called a blog.  You might have heard of them.  Hey, you might have even at one point heard of mine.  =)

On my blog I let it be known that I am what the rest of the world would call a “NIST Cheerleader”.  I watch your every move.  I comment on your new publications.  I teach your framework every quarter.  From time to time, I criticize, but only because I have a foot in the theory of information security that you live and a foot in the implementation with agencies who know where the theory and models break.

The best thing that you have given us is not the risk management framework, it was SP 800-30, “Risk Management Guide for Information Systems”.  It’s small, to-the-point, and scalable from a single server to an entire IT enterprise.  Sure, the quants hate it, but for the quals and Government, it’s good enough.  I know private-sector organizations that use it.  One of my friends and blog readers/commenters was the guy who taught a group of people how to do risk assessment, then these same people went on to help you write the book.

I heard that you were in the process of revising SP 800-30.  While this is much needed to catch up/modernize, I want to make sure that 800-30 does not follow the “live by the catalog, die by the catalog” path that we seem to be following lately.  In other words, please don’t change risk assessment process to the following:

1. Determine boundary
2. Determine criticality
3. Conduct a gap assessment against a catalog of controls (SP 800-53/800-53A)
4. Attach a priority to mitigation
5. Perform risk avoidance because compliance models are yes/no frameworks
6. Document
7. ???
8. Profit!

At Your Own Risk Photo by  Mykl Roventine.

The reason that I am writing this is to let you know that I have noticed a disturbing trend in how now that we have a catalog of controls, the risk management framework is focusing more and more heavily on the catalog as the vehicle for determine an adequate level of security.  Some of this is good, some of this is not.

Why am I so concerned about this?  Well, inside the Government we have 2 conflicting ideas on information security:  compliance v/s risk management.  While we are fairly decent Government-wide at compliance management, the problem that we have is in risk management because risk management is only as good as the people who perform the risk assessment.  Not that we don’t have competent people, but the unknowns are what will make or break your security program, and the only way that you can known the unknowns is to get multiple assessments aimed at risks outside of the control catalog.

However, if you change the risk assessment process to a “catalog of controls gap analysis” process, then we’ve completely lost risk management in favor of compliance management.  To me, this is a disturbing trend that needs to be stopped.

Thank you for your time

–Rybolov

Bookmark to:

Hide Sites

Ever watch a marathon on TV?  There’s the usual formula for how we lay out the day:

• History of the marathon and Pheidippides
• Discussion of the race length and how it was changes so that the Queen could watch the finish
• World records and what our chances are for making one today
• Graphics of the race course showing the key hills and the “sprint to the finish”
• Talk about the womens’ marathon including Joan Benoit and Kathrine Switzer
• Description of energy depletion and “The Wall”
• Stats as the leaders hit the finsh line
• Shots of “back-of-the-pack” runners and the race against yourself

Well, I now present to you the formula for FISMA Report Cards:

• Paragraph about how agencies are failing to secure their data, the report card says so
• History and trending of the report card
• Discussion on changing FISMA
• Quote from Karen Evans
• Quote from Alan Paller about how FISMA is a failure and checklist-driven security
• Wondering when the government will get their act together

Have a read of Dancho’s response to the FISMA Report Card.  Pretty typical writing formula that you’ll see from journalists.  I won’t even comment on the “FISMA compliance” title.  Oh wait, I just did.  =)

Some myths about FISMA in particular that I need to dispell right now:

1. FISMA is a report card:  It’s a law, the grades are just an awareness campaign.  In fact, the whole series of NIST Special Publications are just implementation techniques–they are guidance after all.  Usually the media and bloggers talk about what FISMA measures and um, well, it doesn’t measure anything, it just requires that agencies have security programs based on a short list of criteria such as security planning, contingency planning, and security testing.  It just goes back to the adage that nobody really knows what FISMA is.
2. FISMA needs to be changed:  As a law, FISMA is exactly where it needs to be.  Yes, Congress does have talks about modifying FISMA, but not much has come of it because what they eventually discover after much debate and sword-waving is that FISMA is the way to write the law about security, the problem is with the execution at all levels–OMB, GAO, and the agencies–and typically across organizational boundaries and competing master agendas.
3. There is a viable alternative framework:  Dancho points out this framework in his post which is really an auditors’ plugin to the existing NIST Framework for FISMA.  Thing is, nobody has a viable alternative framework because it’s still going to be the same people with the same training executing in the same environment.

Urban Cell-Phone Fire Myth photo by richardmasoner.  This myth is dispelled at snopes.com.

Way back last year I wrote a blog post about indicator species and how we’re expecting the metrics to go up based on our continual measuring of them.  Every couple of months I go back and review it to see if it’s still relevant.  And the answer this week is “yes”.

Now I’ve been thinking and talking probably too much about FISMA and the grades over the past couple of years, so occassionally I come to conclusions .  According to Mr Vlad the Impaler, the report card is a bad idea, but I’m slowly beginning to see the wisdom of it:  it’s an opportunity to have a debate and to raise some awareness of Government security outside of those of us who do it.  The only other time that we have a public debate about security is after a serious data breach, and that’s not a happy time.

I just wish the media would stop with the story line that FISMA is failing because the grades provide recursive evidence of it.

Bookmark to:

Hide Sites

I have a very disturbing trend with comments to my blog:  I don’t get any comments on the serious stories–only the “fun” posts.

This leads me to believe one of the following is at play:

• I write succinctly and with authority and never make mistakes. (at least it helps to hope…)
• Nobody knows the subjects that I talk about because it’s a niche to a niche.
• I don’t sensationalize the news enough to make people want to comment.  Note that this is a radical departure from the mainstream media when it comes to security and government, where FUD-mongering is the norm.
• People are scared of me because they think I’m intellectually and emotionally unstable and that I’m going to trash them if they comment.  =)
• Government employees are afraid to put anything critical of their leadership in writing.
• Like they say about the classified world, “Those who know don’t talk, those who talk don’t know”. (side note:  what am I saying about myself here?)
• The First Rule of FISMA Club is that YOU DO NOT TALK ABOUT FISMA CLUB!!!111oneoneone
• If it’s your first comment, you have to fight.

Blog Explanation in French by Stephanie Booth

Now the problem for me is that in order to make security in the government work, we need to change the culture of the people doing it.  IT and specifically security require a zero-defects approach, and this is counter to survivability in a political environment.  The only way we can do that is if I’m not the only voice preaching in the wilderness–I really do want people to tell me I’m full of it and give a good rationale.  =)

In the spirit of helping, this is the Guerilla’s Guide to Commenting on http://www.guerilla-ciso.com/

• Everything in Moderation:  No big surprise–I moderate comments.  This is pretty much so I can keep the spam out.  I’ve only had one legitimate post that I deleted because it was personal in nature from a person who knew me in “a past life”.
• Email is Semi-Anonymous:  If you post a comment using a bogus email address, I’m happy with it as long as the content is relevant and doesn’t look like spam.  The email address is really only so wordpress can track you and automagically approve your next post as long as the name and email match up.
• Thou Shalt Remember the Chatham House Rule:  I do not repeat anything that was told to me in confidence.  Neither should you.  Yes, there are things I won’t write on here, like the conversation I had with [censored] from [censored] who confirmed that [censored]-[censored] is not yet final because [censored].
• I’m Neither a Crook Nor a Cop:  I have yet to receive any kind of subpoena asking for subscriber or commenter information, nor do I send you stupid spam jokes because I know who you are.

I’ll end with one of my favorite army jokes:  “What’s the difference between a war story and a fairy tale?  A fairy tale begins with ‘Once upon a time’, war stories begin with ‘No sh*t, there I was’”.

Bookmark to:

Hide Sites