Well, this is a little bit of a departure from my usual random digital scribblings that I call a blog:  I partnered up with Vlad the Impaler and we created a slideshow complete with notes about why you should care about security and the Government and what you can learn from watching the Government succeed or fail.

The .pdf of the presentation is here.  Feel free to share with your friends, coworkers, and co-conspirators.

| View | Upload your own

• Archived for the World to See: SP 800-26
• The Accreditation Decision and the Authorizing Official
• When the Feds Come Calling
• Comments on SCAP 2008
• Massively Scaled Security Solutions for Massively Scaled IT

Interesting blog post at Freedom to Tinker about government releasing the raw data.  It makes the security geek in me cringe because well, most of the data that the government has is PII, and I know that the typical government reaction is to say “not only no, but h*ll no!!”  I mean, after all, most of our goal in the Government is to keep the data from reaching the citizens and evil-doers–giving away data is a cultural clash.

Yes, transparent government is a pretty good goal.  I think the authors of Freedom to Tinker have forgotten that not all Government data is fit for public consumption.  The problem is one of sanitization:  how do you clean all of the PII out of data before you release it to the public?  Not only that, but because of the size of the data sets, most likely you need an automated method to sanitize it.  I think that because of the sanitization factor that the Government would not gain that much efficiency by outsourcing the data presentation to others.

As with all things in security, this is nothing new.  There’s a little-known project (First Rule of “Fight Club” being what it is…) known as Radiant Mercury that does exactly this with classified data.  You can check out the basic concept in quasi-official presentations here (.pdf caveat) and here.

If we were going to make all this data available, we would need an unclassified version of Radiant Mercury to filter out all the PII and “Sensitive but Unclassified” bits.

Now as far as letting second parties build interfaces into the raw data, I’m torn on it.  On one hand, private industry can provide access to data “Now at Web 2.0 Speeds!” but on the other hand, then the Government loses control over the presentation and, by extension, accountability for the content.

• Database Activity Monitoring for the Government
• Civilians Ask “What’s With All the Privacy Act Kerfluffle?”
• Random Thoughts on “The FISMA Challenge” in eHealthcare
• “SBU” Must Die
• It’s a Problem of Scale!

I remember it like it was March:  Georgia voluntarily adopted FISMA-esque metrics.  I just found the policy statement for what they’re collecting in 2008.  On a side note, all of Georgia’s security policies feature concepts borrowed from NIST, something I like.

Let’s talk about the scope creep of Government security, shall we?  Fact of the matter is, it’s going to happen, and you’ll get eventually get caught up in FISMA if you’re one of the following:

• State and local government
• Government contractor
• Telco
• Government service provider
• COTS software vendor
• Utilities who own “Critical Infrastructure”

Why do I say this?  Mainly because just like how the DoD is discovering that it can’t do its InfoSec job without bringing the civilian agencies along due to connectivity and data-sharing issues, the Federal Government is coming to the point where it can’t secure its data without involving these outside entities.  Some are providers, but the interesting ones are “business partners”–the people that share data with the Government.

State and local government are the ones to watch for this pending scope creep.  The Federal Government works on the premise that the responsibility to protect data follows wherever the data goes–not a bad idea, IMO.  If they transfer data to the states, the states need to inherit the security responsibility and appropriate security controls along with it.

Now if I’m a contractor and exchange data with the Government, this is an easy fix:  they don’t pay me if I don’t play along with their security requirements.  When a new requirement comes along, usually we can haggle over it and both sides will absorb a portion of the cost.  While this might be true for some state programs, it becomes a problem when there is no money changing hands and the Federal Government wants to levy its security policies, standards, etc on the states.  Then it becomes a revolt against an unfunded mandate like RealID.

There are some indicators of Federal Government scope creep in the Georgia policy.  This one’s my favorite:

The performance metrics will also enhance the ability of agencies to respond to a variety of federal government mandates and initiatives, including the Federal Information Security Management Act (FISMA).

Georgia on my Mind by SewPixie.

• When the Feds Come Calling
• Georgia Modifies and Adopts FISMA Framework
• Why You Should Care About Security and the Government
• Random Thoughts on “The FISMA Challenge” in eHealthcare
• How to Not Let FISMA Become a Paperwork Exercise

In building slides for our ongoing NIST Framework for FISMA class, I put together a deck of the ongoing Government security initiatives.  It’s plenty of stuff to keep you busy.

“Government Security System” Photo by Kahala

These are some of the more interesting initiatives and a brief description of them:

President’s Management Agenda Scorecard:  This is a quarterly red-yellow-green (hmm, wonder why nobody but the military uses black-red-yellow-green) scorecard on the various aspects of the agenda.  Security is represented as some of the values behind the E-Government score.  More specifically, OMB calls out the following in their FISMA report to congress:

To “get to green” under the E-Government scorecard, agencies must meet the following 3 security criteria:

• IG or Agency Head verifies effectiveness of the Department-wide IT security remediation process. (rybolov: Plans of Actions and Milestones)
• IG or Agency Head rates the agency C&A process as “Satisfactory” or better.
• The agency has 90 percent of all IT systems properly secured (certified and accredited). (rybolov: C&A does not always equate to “secured”, but is an indicator)

In order to “maintain green,” by July 1, 2008, agencies must meet the following security and privacy criteria:

1. All systems certified and accredited. (rybolov: same C&A caveat as before)
2. Systems installed and maintained in accordance with security configurations. (rybolov: lots of wiggle room here since it’s the agency’s standard except for the Federal Desktop Core Configuration)
3. Has demonstrated for 90 Percent of applicable systems a PIA has been conducted and is publicly posted. (rybolov:  PIA is a Privacy Impact Assessment.  It gets posted in the Federal Register as a public notification of what the Government is collecting and what the use is)
4. Has demonstrated for 90 percent of systems with PII contained in a system of records covered by the Privacy Act to have developed, published, and maintained a current SORN. (rybolov: System of Record Notice, this is what is filed with the Federal Register)
5. Has an agreed-upon plan to meet communication requirements for COOP and COG. (rybolov: Continuity of Government)

You can view the current scorecard and learn more about it at results.gov.

OMB Management Watch List:  This is a list of “at-risk” projects.  Security is one part of the list of risks, but for the most part this is a list of high-risk projects within the context of a program/project manager.  The security criteria for being on the Watch List are based on on IG assessments of:

• Certification and Accreditation
• Plan of Actions and Milestones
• Privacy Impact Assessment

 You can check out the most recent Watch List at OMB’s website.

Combined Catalog of Controls:  Superseding DoDI 8500.2 (DoD catalog of controls) and DCID 6/3 (intelligence community catalog of controls) with a reinforced SP 800-53.  Process flow would be along SP 800-37.  I’ve talked about this before.

Security Line of Business:  Agencies become subject-matter experts in an area and become a contractor to the other agencies.  Not a new concept, we’ve seen it elsewhere.

Privacy Management:  OMB Memo 07-16 lays out a privacy plan containing the following tenets:

• Breach Notification:  Requires each agency to have a breach notification policy
• SSN Reduction:  Each agency reduces the use of Social Security Numbers where not needed
• PII Reduction:  Restrict the collection of PII where not needed
• Rules of Behavior:  Rules for employees to follow when they deal with PII

SCAP and FDCC:  I’ve covered these in much detail. 

Trusted Internet Connections: This is a plan to reduce the number of Government internet connections to 50.  Even the most ardent OMB supporters have to agree that this is both a fairly arbitrary number, not achiveable in the next several years, and not even really a good idea.  You heard it here first, folks, but conventional wisdom says that 500 is a better, more realistic number for the time being, and that is the “real” number that OMB is considering.  The start of this is OMB Memo 08-05.

Einstein:  Basically a Government-wide IDS and SIEM run by US-CERT.  It’s offered under the Security Line of Business.  The good thing about Einstein is that it allows DHS to correllate events government-wide.

Air Force Cyber Command:  It’s provisional now, doesn’t have a permanent headquarters, and is trying to figure out what its mission is, but it’s here.  Gossip around town is that it’s focused on both defensive and offensive missions, although they pictures are all defensive-based.  There’s some information on their website, but be sure to read between the lines.  =)

Cyber Corps:  Scholarship program for college students (both post-grad and undergrad) with a public service obligation following graduation.  You can find out more here.

SmartBuy:  A GSA-run program to bulk-purchase commercial off-the-shelf software at a high-volume discount.  Think of it as a buyer’s club for software.  SmartBuy has disk-encryption software.  You can get more information on the GSA website.

• Civilians Ask “What’s With All the Privacy Act Kerfluffle?”
• OMB Wants a Direct Report
• An Open Letter to NIST About SP 800-30
• GSA Looking for a Few Good Tools
• In Response to “Cyber Security Coming to a Boil” Comments….