What the Government Looks for in a Product
Posted August 13th, 2007 by rybolovI’ve been sitting in some vendor presentations lately–I think they invite me along so I can be the resident curmudgeon–and I’m starting to get a good feel for what both the government and myself want in a product.
I want to know how a tool fits into my IA framework. That framework for me is NIST SP 800-53. One side effect of 800-53 is that I can’t justify a product “just because”–I have to state how this tool or service will help me attain “compliance” with the minimum baseline of security controls. It’s not enough anymore to just say “hey, our product helps you with SP 800-53 controls, have some magic FISMA Fairy Dust“.
Advice for vendors: take the day of effort to provide a traceability matrix for me. What I have is a Plan of Actions and Milestones (POA&M) that requires me to implement the following controls:
- AC-11 Session Lock
- AC-12 Session Termination
Now what I want is for your product to say the following:
- AC-11: Our product locks out users after 15 minutes of activity on their Frobulator workstation.
- AC-12: Our product terminates users after 25 minutes of activity on their Frobulator workstation.
If your product doesn’t do a control, don’t mention it. But by all means get somebody who routinely works with the catalog of controls to determine if you meet the control objective: there’s nothing I hate more than trying to understand how somebody stretched their interpretation of control objectives that I now have to turn around and rationalize to an auditor. It’s OK if your product doesn’t do everything as long as it does the right things.
Now the reason I bring all this up is that I, too, am a vendor–a services/outsourcing vendor. I’m taking the time this week to do my own traceability matrix that says something like this:
- For the Basic Hosting Service, these are the controls that you get (mostly Physical and Environmental Protection (PE) and Media Protection (MP) )
- For the IDS Monitoring and Management Service, these are the controls that you get (mostly Audit (AU) controls with a smattering of Incident Response (IR) controls)
- For the Network Monitoring and Management Services, these are the controls that you get (hardly any except for availability monitoring)
- This is what we provide for support when you do a risk assessment or certification and accreditation
- Some controls are Inherent Government Functions (IGF) and cannot be outsourced to us such as FIPS-199 categorization and risk acceptance
The whole idea is to delineate the responsibilities for pre-sales work so that when somebody contracts with us, they know the Government’s responsibilities, our Project Management Office’s (PMO’s) responsibilities, and my operations group’s responsibilities. It’s going back to the nature of outsourcing and the fact that transparency is key.
Similar Posts:
Posted in FISMA, NIST, Outsourcing, The Guerilla CISO | 3 Comments »
August 14th, 2007 at 7:15 am
Bless you, my son!!
In fact, the very sign of a traceability matrix (a readable, sensible one, please) is enough to gain a vendor several points in my book.
Hell, any sign that they’re smart and are doing their homework is a big plus.
August 17th, 2007 at 11:23 am
> Now what I want is for your product to say the following:
>
> AC-11: Our product locks out users after 15 minutes of activity on their Frobulator workstation.
> AC-12: Our product terminates users after 25 minutes of activity on their Frobulator workstation.
I think depending on such a terse description is inadequate.
For 30 years the problem I have seen is disparate definitions of “inactivity”.
so unless that is specified and understood there will not be full understanding.
As an example, does any particular version of “inactivity” mean:
No characters displayed ?
No characters typed ?
No disk IO ?
No CPU consumed ?
and how does all of that interact with little gimmicks designed or used
to avoid detection as “inactive” ?
What if that perception of inactivity is because a user process is waiting
for an operator response ??
August 17th, 2007 at 11:49 am
You are correct, Larry, and instead of just saying “Our product helps you be ‘FISMA-compliant'”, tell me what your interpretation is. I still have to do the “Tab A into Slot A” style of product selection to match what my findings are.
For reference/explanation, Larry is a huge VMS security guru, so he lives in a world very different from the usual models that you would use when talking about server-client computing ala Windows or even Unix.