Interestingly, Splunk has been going after FISMA dollars here lately.  check out the Forbes article, video on YouTube, and their own articles.  I guess there’s another “pig at the trough” (heh, including myself from time to time).

It’s interesting how companies decide to play in the Government market.  It seems like they fall into 2 categories:  companies that have grown to the point where they can sustain the long-term investment with a chance of payoff in 5 years, and companies that are desparate and want a spot at the trough.

To its credit, Splunk seems to be one of the former and not the latter, unlike the hordes of “Continuous Compliance” tools I’ve seen in the past year.

Which brings up the one big elephant in the room that nobody will talk about:  who is making money on FISMA?

This is my quick rundown on where the money is at:

• Large Security Services Firms:  Definitely.  About a quarter of that is document-munging and other jack*ssery that is wasteful, but a good 3/4 of the services are needed and well-received.  Survival tip:  combining FISMA services with other advisory/assessment services.
• Software and Product Vendors:  Yes and no.  Depends on how well they can make that crucial step of doing traceability from their product to the catalog of controls or have a product that’s so compelling that the Government can’t say no (A-V).  Survival tip:  Partner with the large integrator firms.
• Managed Security Service Providers:  Yes, for the time being,  but look at their market getting eaten from the top as US-CERT gets more systems monitored under Einstein and from the bottom as agencies stand up their own capabilities.  Survival tip: US-Cert affiliation and watch your funding trail, when it starts to dry up, you had better be diversified.
• System Integrators:  It’s split.  One half of them take a loss on FISMA-related issues because they get caught in a Do What I Mean with a “Contractor must comply with FISMA and all NIST Guidance” clause.  The other half know how to either scope FISMA into their proposals or they have enough good program management skills to protest changes in scope/cost.  Survival tip:  Have a Government-specific CSO/CISO who understands shared controls and how to negotiate with their SES counterparts.
• 8(a) and Security Boutique Firms:  Yes, depending on how well they can absorb overhead while they look for work.  Survival tip:  being registered as a disadvantaged/woman-owned/minority-owned/foo-owned business means that the big firms have to hire you because their contracts have to contain a certain percentage of small firms.
• Security Training Providers:  Yes.  These guys always win when there’s a demand.  That’s why SANS, ISC2, and a host of hundreds are all located around the beltway.  Survival tip:  trying to absorb government representation in training events and as speakers.

• NIST’S FISMA Pase II–Who Certifies Those who Certify the Certifiers?
• Security Assessment Economics
• More on Georgia’s FISMA Reporting
• Imagine that, System Integrators Doing Security Jointly with DoD
• Introducing the Government’s Great InfoSec Equities Issue