A Funny Thing Happened Last Week on Capital Hill

Posted April 1st, 2010 by

Well, several funny things happened, they happen every week.  But specifically I’m talking about the hearing in the House Committee on Homeland Security on FISMA reform–Federal Information Security: Current Challenges and Future Policy Considerations.  If you’re in information security and Government, you need to go read through the prepared statements and even watch the hearing.

Also referenced is HR.4900 which was introduced by Representative Watson as a modification to FISMA.  I also recommend that you have a look at it.

Now for my comments and rebuttals to the testimony:

  • On the cost per sheet of FISMA compliance paper: If you buy into the State Department’s cost of $1700 per sheet, you’re absolutely daft.  The cost of a security program divided by the total number of sheets of paper is probably right.  In fact, if you do the security bits right, your cost per sheet will go up considerably because you’re doing much more security work while the volume of paperwork is reduced.
  • Allocating budget for red teams: Do we really need penetration testing to prove that we have problems?  In Mike Smith’s world, we’re just not there yet, and proving that we’re not there is just an excuse to throw the InfoSec practitioners under the bus when they’re not the people who created the situation in the first place.
  • Gus Guissanie: This guy is awesome and knows his stuff.  No, really, the guy is sharp.
  • State Department Scanning: Hey, it almost seems like NIST has this in 800-53.  Oh wait, they do, only it’s given the same precedence as everything else.  More on this later.
  • Technical Continuous Monitoring Tools: Does anybody else think that using products of FISMA (SCAP, CVE, CVSS) as evidence that FISMA is failing is a bit like dividing by zero?  We really have to be careful of this or we’ll destroy the universe.
  • Number of Detected Attacks and Incidents as a Metric: Um, this always gets a “WTF?” from me.  Is the number increasing because we’re monitoring better or is it because we’re counting a whole bunch of small events as an attack (ie, IDS flagged on something), or is it because the amount of attacks are really increasing?  I asked this almost 2 years ago and nobody has answered it yet.
  • The Limitations of GAO: GAO are just auditors.  Really, they depend on the agencies to not misrepresent facts and to give them an understanding of how their environment works.  Auditing and independent assessment is not the answer here because it’s not a fraud problem, it’s a resources and workforce development problem.
  • OMB Metrics: I hardly ever talk bad about OMB, but their metrics suck.  Can you guys give me a call and I’ll give you some pointers?  Or rather, check out what I’ve already said about federated patch and vulnerability management then give me a call.

So now for Rybolov’s plan to fix FISMA:

  1. You have to start with workforce management. This has been addressed numerous times and has a couple of different manifestations: DoDI 8570.10, contract clauses for levels of experience, role-based training, etc.  Until you have an adequate supply of clueful people to match the demand, you will continue to get subpar performance.
  2. More testing will not help, it’s about execution. In the current culture, we believe that the more testing we do, the more likely the people being tested will be able to execute.  This is highly wrong and I’ve commented on it before.  I think that if it was really a fact of people being lazy or fraudulent then we would have fixed it by now.  My theory is that the problem is that we have too many wonks who know the law but not the tech and not enough techs that know the law.  In order to do the job, you need both.  This is also where I deviate from the SANS/20 Critical Security Controls approach and the IGs that love it.
  3. Fix Plans of Actions and Milestones. These are supposed to be long-term/strategic problems, not the short-term/tactical application of patches–the tactical stuff should be automated.  The reasoning is that you use these plans for budget requests for the following years.
  4. Fix the budget train. Right now the people with the budget (programs) are not the people running the IT and the security of it (CIO/CISO).  I don’t know if the answer here is a larger dedicated budget for CISO’s staff or a larger “CISO Tax” on all program budgets.  I could really policy-geek out on you here, just take my word for it that the people with the money are not the people protecting information and until you account for that, you will always have a problem.

Sights Around Capital Hill: Twice Sold Tales photo by brewbooks. Somehow seems fitting, I’ll let you figure out if there’s a connection. =)



Similar Posts:

Posted in FISMA, Public Policy, Rants, Risk Management | 7 Comments »
Tags:

7 Responses

  1.  Tweets that mention A Funny Thing Happened Last Week on Capital Hill | The Guerilla CISO -- Topsy.com Says:

    […] This post was mentioned on Twitter by jen_h. jen_h said: RT @rybolov: New blog thingie about the FISMA reform hearings last week, lolcats to follow: http://bit.ly/djtAvg […]

  2.  uberVU - social comments Says:

    Social comments and analytics for this post…

    This post was mentioned on Twitter by rybolov: New blog thingie about the FISMA reform hearings last week, lolcats to follow: http://bit.ly/djtAvg

  3.  Dan Philpott Says:

    You forgot about fixing the IG situation. But great article, hit the low points of that hearing.

  4.  Robert Keefer Says:

    Penetration testing isn’t about proving that vulnerabilities exist. It’s about determining and verifying the severity of the problem, so that solutions can be prioritised. Knowing that your IIS server is missing patch X has no value–what can I do to the IIS server without the patch? What data can I see? What other layers are preventing me from doing any damage? Without answers to those questions, of course security goes nowhere.

  5.  rybolov Says:

    Hi Robert, you are very correct. Unfortunately, there are some trends to be very careful with:
    -Penetration testers who don’t understand the context of what they’re trying to accomplish.
    -Penetration testing results to humiliate the assessed organization. This has nothing to do with the test itself, it has everything to do with politics.
    -If you’re really bad at the patch and vulnerability management, you’re not ready for a penetration test unless the point is to say that you suck. =)

  6.  You Know who I am Says:

    And there I thought that twice sold tales was about politicos and their sex habits!

  7.  Security Advancements at the Monastery » Blog Archive » FISMA Reform: Lieberman, Collins, and Carper Introduce Bill Says:

    […] creator of the Guerilla CISO blog. Concerning the $1,400 per page cost, Smith in his post “A Funny Thing Happened Last Week on Capital Hill,” writes “If you buy into the State Department’s cost of $1400 per sheet, you’re […]

Leave a Comment

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.


Visitor Geolocationing Widget: