Some Words From a FAR

Posted September 9th, 2008 by

FAR: it’s the Federal Acquisition Regulation, and it covers all the buying that the government does.  For contractors, the FAR is a big deal–violate it and you end up blackballed from Government contracts or having to pay back money to your customer, either of which is a very bad thing.

In early August, OMB issued Memo 08-22 (standard .pdf caveat blah blah blah) which gave some of the administratrivia about how they want to manage FDCC–how to report it in your FISMA report, what is and isn’t a desktop, and a rough outline on how to validate your level of compliance.

Now I have mixed feelings about FDCC, you all should know that by now, but I think the Government actually did a decent thing here–they added FDCC (and any other NIST secure configuration checklists) to the FAR.

Check this section of 800-22 out:

On February 28, 2008, revised Part 39 of the Federal Acquisition Regulation (FAR) was published which reads:
1. The authority citation for 48 CFR part 39 continues to read as follows: Authority: 40 U.S.C. 121(c); 10U.S.C. chapter 137; and 42 U.S.C. 2473(c).
2. Amend section 39.101 by revising paragraph (d) to read as follows:
39.101 Policy.
* * * * *

(d) In acquiring information technology, agencies shall include the appropriate IT security policies and requirements, including use of common security configurations available from the NIST’s website at Agency contracting officers should consult with the requiring official to ensure the appropriate standards are incorporated.

Translated into English, what this means is that the NIST configurations checklists are coded into law for Government IT purchases.

This carries a HUGE impact to both the Government and contractors.  For the Government, they just outsourced part of their security to Dell and HP, whether they know it or not.  For the desktop manufacturers, they just signed up to learn how FDCC works if they want some of the Government’s money. 

Remember back in the halcyon days of FDCC when I predicted that one of the critical keys to success for FDCC was to be able to buy OEM desktops with the FDCC images on them.  It’s slowly becoming a reality.

Oh what’s that, you don’t sell desktops?  Well, this applies to all NIST configuration checklists, so as NIST adds to the intellectual property in the checklists program, you get to play too.  Looking at the DISA STIGs as a model, you might end up with a checklist for literally everything.

So as somebody who has no relation to the US Federal Government, you must be asking by now how you can ride the FDCC wave?  Here’s Rybolov’s plan for secure desktop world domination:

  • Wait for the government to attain 60-80% FDCC implementation
  • Wait for desktops to have an FDCC option for installed OS
  • Review your core applications on the FDCC compatibility list
  • Adopt FDCC as your desktop hardening standard
  • Buy your desktop hardware with the image pre-loaded
  • The FDCC configuration rolls uphill to be the default OS that they sell
  • ?????
  • Profit!

And the Government security trickle-down effect keeps rolling on….

Cynically, you could say that the OMB memos as of late (FDCC, DNSSEC) are very well coached and that OMB doesn’t know anything about IT, much less IT security.  You probably would be right, but seriously, OMB doesn’t get paid to know IT, they get paid to manage and budget, and in this case I see some sound public policy by asking the people who do know what they’re talking about.

While we have on our cynical hats, we might as well give a nod to those FISMA naysayers who have been complaining for years that the law wasn’t technical/specific enough.   Now we have very static checklists and the power to decide what a secure configuration should be has been taken out of the hands of the techies who would know and given to research organizations and bureaucratic organizations who have no vested interest in making your gear work.

Lighthouse From Afar

Lighthouse From AFAR photo by Kamoteus.

Similar Posts:

Posted in FISMA, NIST, What Doesn't Work, What Works | 8 Comments »

GSA Looking for a Few Good Tools

Posted September 2nd, 2008 by

I like SmartBuy, I’ve talked about it before, it’s a software bulk-purchase program sponsored by GSA. The more types of software products they buy, the better for the people who need to depend on this stuff.

So I’m doing my usual beginning-of-the-week upcoming contracts perusal and something interesting caught my eye:  GSA is looking for “Situational Awareness and Incident Response” (SAIR) software to do a blanket purchase agreement for SmartBuy.

What they mean by SAIR (according to the pre-RFP information) is the following:

  • Baseline Configuration Management
  • Network Mapping
  • Vulnerability Management

Really, think something along the lines of FDCC/SCAP-aware tools to manage IT assets.  Not sure how the incident response piece fits in, but OK, I’ll go along with you here.  Makes sense if you stop and think about it–we have a FDCC mandate from OMB, and now we’re looking for the tools to help with it–I mentioned that FDCC without automation was futile almost 9000 years ago.

I know I have blog readers who make similar software, drop me a message if you need more details.

And for my daily dose of snarkiness:  it’s good to see how GSA has come such a long way in my life from being just the provider of skillcraft pens and simple green.  =)

Similar Posts:

Posted in FISMA, What Works | 5 Comments »

On Why I Blog… FUD is the Reason for the Writin’

Posted August 19th, 2008 by

This article at SC Magazine is exactly why.  Kudos to Dan Philpott for calling the author on his errors.

Things that go through my mind about articles like this:

  • Is it that slow of a news day?  FISMA stuff is always good for a couple yucks when there’s nothing else to talk about.  Looks like somebody needed filler while everybody was flying to Black Hat and DefCon.
  • Once again, we’re confusing FISMA the law with the implementation thereof.  Yawn.
  • Ack, somebody who likes FDCC.  Actually, I like it too in theory, I just don’t like the implementation.
  • “Government has influence when it comes to awareness and will have opportunities to use it.”  Um, yes, it’s the $75B IT budget, flex that muscle wherever you want to get the secure products you want.  Do not underestimate the power of the budget.
  • Follow the FISMA Naysayer and spot somebody who’s looking for money.  In this case, it’s Fortify.

Funny thing is that I think I met the guy from Fortify a couple of months ago at a NoVa OWASP meeting for a showing of their fun-but-FUDtastic movie about application security.  You know, you’ve seen the trailer, it looked like this:

There is a way to influence thinking in this town, and writing trash articles like this is not the way to do it.  If Fortify really wants to change the world, I have some ideas on how to do it, but nobody ever asks.  =)

FUD Truck Makes a Delivery

FUD Truck Makes a Delivery photo by crmudgen23.

Guerilla CISO story time:

About 9 months ago, I got a marketing packet from Borderware.  It said that “FooCorp is identified as sending spam” and offered me the opportunity to join their reputation service.

Looking at the materials they sent me, I deduced that none of the source IPs they listed was in our netblock and that what they were referring to was spam using email addresses as the “from” address.  Um, not a whole lot you can do to stop that, although it does make for some fun abuse@ emails from users who don’t understand how spam works:  “Quit sending me this stuff, I’ll burn down your data center myself!!!111oneoneone”

Anyway, since the whole packet was pure FUD and not really relevant to anything I wanted to do, I sat down and sent an email to their Director of Marketing and CTO:

I know Borderware’s products, we use them in some of our solutions, and you have a good reputation.  Please don’t resort to such a lowbrow marketing scheme because it sullies your brand.

I think Fortify is in the same boat.  They have a good reputation–I have a friend who works for one of their biggest customers, and if he’s cool with it, I am.

But the question for all security companies remains:  how do I sell my product without resorting to spreading FUD everywhere I go?

Similar Posts:

Posted in FISMA, Rants | 6 Comments »

LOLCATS and FDCC–A Match Made in Heaven

Posted June 12th, 2008 by

 Credit to Dan on this one…


funny pictures

Similar Posts:

Posted in IKANHAZFIZMA | 3 Comments »

Current Government Security Initiatives

Posted May 5th, 2008 by

In building slides for our ongoing NIST Framework for FISMA class, I put together a deck of the ongoing Government security initiatives.  It’s plenty of stuff to keep you busy.

Government Security System

“Government Security System” Photo by Kahala

These are some of the more interesting initiatives and a brief description of them:

President’s Management Agenda Scorecard:  This is a quarterly red-yellow-green (hmm, wonder why nobody but the military uses black-red-yellow-green) scorecard on the various aspects of the agenda.  Security is represented as some of the values behind the E-Government score.  More specifically, OMB calls out the following in their FISMA report to congress:

To “get to green” under the E-Government scorecard, agencies must meet the following 3 security criteria:

  • IG or Agency Head verifies effectiveness of the Department-wide IT security remediation process. (rybolov: Plans of Actions and Milestones)
  • IG or Agency Head rates the agency C&A process as “Satisfactory” or better.
  • The agency has 90 percent of all IT systems properly secured (certified and accredited). (rybolov: C&A does not always equate to “secured”, but is an indicator)

In order to “maintain green,” by July 1, 2008, agencies must meet the following security and privacy criteria:

  1. All systems certified and accredited. (rybolov: same C&A caveat as before)
  2. Systems installed and maintained in accordance with security configurations. (rybolov: lots of wiggle room here since it’s the agency’s standard except for the Federal Desktop Core Configuration)
  3. Has demonstrated for 90 Percent of applicable systems a PIA has been conducted and is publicly posted. (rybolov:  PIA is a Privacy Impact Assessment.  It gets posted in the Federal Register as a public notification of what the Government is collecting and what the use is)
  4. Has demonstrated for 90 percent of systems with PII contained in a system of records covered by the Privacy Act to have developed, published, and maintained a current SORN. (rybolov: System of Record Notice, this is what is filed with the Federal Register)
  5. Has an agreed-upon plan to meet communication requirements for COOP and COG. (rybolov: Continuity of Government)

You can view the current scorecard and learn more about it at

OMB Management Watch List:  This is a list of “at-risk” projects.  Security is one part of the list of risks, but for the most part this is a list of high-risk projects within the context of a program/project manager.  The security criteria for being on the Watch List are based on on IG assessments of:

  • Certification and Accreditation
  • Plan of Actions and Milestones
  • Privacy Impact Assessment

 You can check out the most recent Watch List at OMB’s website.

Combined Catalog of Controls:  Superseding DoDI 8500.2 (DoD catalog of controls) and DCID 6/3 (intelligence community catalog of controls) with a reinforced SP 800-53.  Process flow would be along SP 800-37.  I’ve talked about this before.

Security Line of Business:  Agencies become subject-matter experts in an area and become a contractor to the other agencies.  Not a new concept, we’ve seen it elsewhere.

Privacy Management:  OMB Memo 07-16 lays out a privacy plan containing the following tenets:

  • Breach Notification:  Requires each agency to have a breach notification policy
  • SSN Reduction:  Each agency reduces the use of Social Security Numbers where not needed
  • PII Reduction:  Restrict the collection of PII where not needed
  • Rules of Behavior:  Rules for employees to follow when they deal with PII

SCAP and FDCC:  I’ve covered these in much detail. 

Trusted Internet Connections: This is a plan to reduce the number of Government internet connections to 50.  Even the most ardent OMB supporters have to agree that this is both a fairly arbitrary number, not achiveable in the next several years, and not even really a good idea.  You heard it here first, folks, but conventional wisdom says that 500 is a better, more realistic number for the time being, and that is the “real” number that OMB is considering.  The start of this is OMB Memo 08-05.

Einstein:  Basically a Government-wide IDS and SIEM run by US-CERT.  It’s offered under the Security Line of Business.  The good thing about Einstein is that it allows DHS to correllate events government-wide.

Air Force Cyber Command:  It’s provisional now, doesn’t have a permanent headquarters, and is trying to figure out what its mission is, but it’s here.  Gossip around town is that it’s focused on both defensive and offensive missions, although they pictures are all defensive-based.  There’s some information on their website, but be sure to read between the lines.  =)

Cyber Corps:  Scholarship program for college students (both post-grad and undergrad) with a public service obligation following graduation.  You can find out more here.

SmartBuy:  A GSA-run program to bulk-purchase commercial off-the-shelf software at a high-volume discount.  Think of it as a buyer’s club for software.  SmartBuy has disk-encryption software.  You can get more information on the GSA website.

Similar Posts:

Posted in FISMA | 2 Comments »

Next Entries »

Visitor Geolocationing Widget: