I helped give our auditors from the Defense Contract Audit Agency (DCAA) some education on how managed services work. We did the usual presentation–who the building tenants are, what takes place in the various floors, and what services we offer.

In case you’re not familiar with DCAA, the basic rundown is that they are the financial auditors for government contracts.  They look at your numbers and try to detect how and where you are committing financial fraud.  In our case, we have distinct service descriptions and a set of financial and operational metrics to support  the numbers (ie, each server requires 1 hour per month on average to do patching and fix outages, so the cost to us is $100, add your markup and that’s the cost per month to monitor and manage a device).

This is risk management through education for us.  When you have auditors who don’t understand why an IT operations shop would need 13K gallons of diesel fuel (I thought you did IT?), the least you can do is to educate them.

• Combatting Tool Creep
• NIST and SCAP; Busting a cap on intruders Part 1
• Reinventing FedRAMP
• Rebuilding C&A
• Guerilla CISO Tip: Get Inside the Data Center