If you're new here and would like to see more of what I'm saying, you may want to subscribe to my RSS feed (I can even email my blog posts to you when I publish a new one) or have a look at my papers and presentations page for downloads of stuff that you can share or "borrow heavily from". You also might find my guidelines for posting comments interesting, especially if you're a government employee. If you want to see me blog about anything in particular, drop me a private email on how you think I'm completely full of myself, extend me an invitation to speak at your next security meeting/event, or just to ship a huge bag of money in my direction, you can do that through my contact page. Thanks for visiting and happy hacking!

Ever feel lost and lonely when staring at the business end of an ST&E?  Confounded and confused considering Configuration controls?  Perplexed and Puzzled at Planning procedures?  Anxious or amazed at Audit and Accountability assessments?  Annoyed at aimless alliteration?

NIST has heard your muttered curses and answered them!  (Except the annoying alliteration, which is my fault.)

Now available are the Assessment Cases for Special Publication 800-53A.  The Assessment Cases offer supplemental guidance on assessing security controls found in the recently released SP 800-53A Guide for Assessing the Security Controls in Federal Information Systems (PDF Warning).  These documents are in their Initial Public Draft so be sure to give them a look and provide some feedback.

The Assessment Cases contain consensus recommendations from the Assessment Cases Project on specific actions to perform when assessing security controls.  These specific actions are intended to complement the assessment procedures documented in NIST SP 800-53A.   Yes, you heard that right, Specific Actions.  Less time spent pondering how to “Examine: … other relevant documents or records”.

The Assessment Cases Project is an inter-agency workgroup headed by DoJ with members including NIST, DoE, DoT and ODNI-CIO.  Many thanks for the hard work of this workgroup’s membership.  You may not be able to hear it but I am applauding on this side of the keyboard.  And a big thanks to Patrick O’Reilly for pointing me to this wonderful resource.

Bookmark to:

Hide Sites

And by “kerfluffle”, I mean these articles:

• GAO Privacy Report
• Technology Liberation Front
• Center for Democracy and Technology
• And how about an analysis of the Privacy Act from DOJ for background reasons?

Well, let’s talk about how privacy and the Government works with Uncle Rybolov (please hold the references to Old Weird Uncle Harold until we’re through with today’s lesson please).

We have a law, the Privacy Act of 1974.  Think about it, what significant privacy-wrenching activities happened just a couple of years prior?  Can we say “Watergate Scandal“?  Can we say “Church Committee“?  Suffice it to say, the early 1970s was an era filled with privacy issues and is where most of our privacy policy and law comes from.  Remember this for later:  this was the 1970’s!

Each of the various sections of the Privacy Act deals with a particular data type.  For instance, Title 13 refers to data collected by the Census Bureau when they’ll go count everybody in 2010.

The Privacy Act talks about the stuff that everybody in the Government needs to know about:  how you’re going to jail if you disclose this information to a third party.  For those of you who have ever been in the military or had to fill out a government form that required your social security number, the light in the back of your head should be going off right now because they all have the warnings about disclosure.

Remember to respect the privacy of the beach huts and chairs photo by Joe Shlabotnik

When it comes to IT security, the Privacy Act works like this:

• You realize a need to collect PII on individuals.
• You do a privacy impact assessment to determine if you can legally collect this data and what the implications of collecting the data are.
• You build rules about what you can do normally with the data once you have collected it.  This is called the “routine use”.
• You write a report on how, why, and about whom you’re collecting this information.  This is known as the “System of Record Notice”.
• You file this report with the Federal Register to notify the public.
• This IT system becomes the authoritative source of that information.

IE, no secret dossiers on the public.  We’ll suspend our disbelief in FISA for a minute, this conversation is about non-intelligence data collection.

Now the problem with all this is that if you stop and think about it, I was 1 year old when the Privacy Act was signed.  Our technology for information sharing has gone above and beyond that.  We can exchange data much much much more quickly than the Privacy Act originally intended.  As a result, we have PII everywhere.  Most of the PII is needed to provide services to the citizens, except that it’s a royal PITA to protect it all, and that’s the lesson of the past 2 years in Government data breaches.

Problems with the Privacy Act:

• The SORN is hard to read and is not easy to find.
• Privacy Act data given to contractors or “business partners” (aka, state and local government or NGOs) does not have the same amount of oversight as it does in the Government.
• Data given to the Government by a third-party is not susceptible to the Privacy Act because the Government did not collect it.  Wow, lots of room for abuse–waterboarding-esque abuse.
• Privacy Act procedures were written for mainframes.  Mainframes have been replaced with clusters of servers.  It’s easy to add a new server to this setup.  Yes, this is a feature.
• If you build a new system with the same data types and routine uses as an already existing SORN, you can “piggyback” on that existing SORN.
• It’s very easy to use the data in a way that isn’t on your “routine use” statement, thus breaking the entire privacy system.

Obviously, at this point, you should have gotten the hint that maybe we need to revise the Privacy Act.  I think GAO and OMB would agree with you here.

So, what alternatives do we have to the existing system?

• Make blanket data types and do a PIA and SORN on them regardless of where that data lies.
• Bend the Paperwork Reduction act and OMB guidance so that we don’t collect as much information.
• Make the Privacy Act more specific on what should be in SORN, PIA, and routine use statements.

To be honest, it seems like most of this is already in place, it just needs to get tuned a little bit so we’re doing the right things.  Once again, the scale of the Government’s IT infrastructure is keeping us from doing the right thing:    there isn’t enough time in the day to do PIAs on a per-server basis or to keep track of every little bit of data.  You have to automate our privacy efforts in some fashion.

And this is why, dear readers, I think the Government needs DLP solutions more than the private sector does.  Too bad the DLP vendors are stuck on credit cards and social security numbers.

Bookmark to:

Hide Sites

 Ah yes, my favorite subject to bash: compliance.  Better comply or GAO will report you. =)

Bookmark to:

Hide Sites

Ever watch a marathon on TV?  There’s the usual formula for how we lay out the day:

• History of the marathon and Pheidippides
• Discussion of the race length and how it was changes so that the Queen could watch the finish
• World records and what our chances are for making one today
• Graphics of the race course showing the key hills and the “sprint to the finish”
• Talk about the womens’ marathon including Joan Benoit and Kathrine Switzer
• Description of energy depletion and “The Wall”
• Stats as the leaders hit the finsh line
• Shots of “back-of-the-pack” runners and the race against yourself

Well, I now present to you the formula for FISMA Report Cards:

• Paragraph about how agencies are failing to secure their data, the report card says so
• History and trending of the report card
• Discussion on changing FISMA
• Quote from Karen Evans
• Quote from Alan Paller about how FISMA is a failure and checklist-driven security
• Wondering when the government will get their act together

Have a read of Dancho’s response to the FISMA Report Card.  Pretty typical writing formula that you’ll see from journalists.  I won’t even comment on the “FISMA compliance” title.  Oh wait, I just did.  =)

Some myths about FISMA in particular that I need to dispell right now:

1. FISMA is a report card:  It’s a law, the grades are just an awareness campaign.  In fact, the whole series of NIST Special Publications are just implementation techniques–they are guidance after all.  Usually the media and bloggers talk about what FISMA measures and um, well, it doesn’t measure anything, it just requires that agencies have security programs based on a short list of criteria such as security planning, contingency planning, and security testing.  It just goes back to the adage that nobody really knows what FISMA is.
2. FISMA needs to be changed:  As a law, FISMA is exactly where it needs to be.  Yes, Congress does have talks about modifying FISMA, but not much has come of it because what they eventually discover after much debate and sword-waving is that FISMA is the way to write the law about security, the problem is with the execution at all levels–OMB, GAO, and the agencies–and typically across organizational boundaries and competing master agendas.
3. There is a viable alternative framework:  Dancho points out this framework in his post which is really an auditors’ plugin to the existing NIST Framework for FISMA.  Thing is, nobody has a viable alternative framework because it’s still going to be the same people with the same training executing in the same environment.

Urban Cell-Phone Fire Myth photo by richardmasoner.  This myth is dispelled at snopes.com.

Way back last year I wrote a blog post about indicator species and how we’re expecting the metrics to go up based on our continual measuring of them.  Every couple of months I go back and review it to see if it’s still relevant.  And the answer this week is “yes”.

Now I’ve been thinking and talking probably too much about FISMA and the grades over the past couple of years, so occassionally I come to conclusions .  According to Mr Vlad the Impaler, the report card is a bad idea, but I’m slowly beginning to see the wisdom of it:  it’s an opportunity to have a debate and to raise some awareness of Government security outside of those of us who do it.  The only other time that we have a public debate about security is after a serious data breach, and that’s not a happy time.

I just wish the media would stop with the story line that FISMA is failing because the grades provide recursive evidence of it.

Bookmark to:

Hide Sites

Yay, FISMA report card for 2007 has been issued.  You can go check it out here.  I can’t believe it, but DHS scored a “B” against all odds. =)

And of course, by now the response to the report card is all rote–everybody wonders what the letters really mean:

• SC Magazine
• IDG
• IT Business Edge
• Federal Times
• Washington Post
• Security Focus

Yeah, yeah, I guess it just goes to prove what we say about the classified world: the people who know don’t talk and the people who talk don’t know.  In this case, everybody attacks the metric because, well, it’s a bad metric–what action are we supposed to take because of what the results are?  It’s also pretty much ignored by this point anyway except for the witty sound bites from some of my “favorite people”, so it’s nothing to get all hot and bothered about.  The GAO and OMB reports that I’ve covered in much detail are much better and have a pretty decent level of analysis.

But fer chrissakes, the report card is issued by Congress, how much detail do you think it will ever contain?  =)

My rapidly expanding queue of pet peeves about this time of the year:

• People who think that FISMA is just a report card and that we should re-examine how we measure security:  the grades are not even required by the law, it’s just technique and we can change that easily enough.
• People who criticize but do not offer an alternative:  even if you had an alternative plan, the environment for execution still involves the same IT assets and the same front-line employees.
• People who don’t understand enterprise-wide security much less a federation of semi-independent enterprises: it’s the nature of government-wide security metrics that they’ll be indicators which can be faked.
• Sound bites from people who have never implemented any aspect of FISMA:  come on, SANS and Gartner?  GAO and the Cyber Security Industry Alliance are a little bit better but taken out of context.
• Nobody ever asks me for a quote on FISMA numminess:  I’ll be pouting for the rest of the week, TYVM.  =)

Not that I’m the world’s best expert at fact-checking, but something caught my eye in the report:  it’s issued by Tom Davis and the url is from the Minority Office for the House Committee on Oversight and Government Reform.  Tom Davis is the representative from Northern Virginia and is the sponsor for FISMA back when it was signed.  Until the last election, he was the chairman of the House Committee on Oversight and Government Reform.  The committee is now chaired by Henry Waxman. 

Time for a new concept in your vocabulary:  LGOPP (OK, actually it’s LGOP, but I added an extra “P” for comedy purposes).  Imagine June 6th, 1944, paratroopers scattered all over the French countryside.  What happens is you pick up the people around you, the senior person becomes the leader, and you carry out the mission.

Photo of Paratrooper Stained Glass in Sainte Mère Église by Nelson Minar

Hence the true meaning of LGOPP: Little Groups of P*ssed-off Paratroopers.  An equivalent phrase is “isolated pockets of brilliance”.

In the words of somebody I went off to war with:  “LGOPPS are the spirit of the infantry:  a handfull of 18- and 19-year-olds with fully automatic weapons who can barely remember what their mission is running around the woods raising hell”.

Now, I know you guys, you’re wondering what this has to do with security?  Well, this is relevant because it’s an election year.  What that means is that instead of being bothered with all this security stuff, Congress is involved in playing “gotcha” with the Executive branch.  After the election, it’s rearranging deck chairs on the Titanic and all of the leadership will change.

Instead of any national-level security agendas and strategizing, we’ll have to be content with security LGOPPs fighting the fight wherever they end up gaining enough critical mass.

And in the case of this year’s FISMA report card, the LGOPP that is Tom Davis’s staffers issued the report while the rest of the committee was busy worrying about elections.

Bookmark to:

Hide Sites