Posts RSS
Subscribe via Email
No, FISMA Doesn’t Require That, Silly Product Pushers
Posted July 31st, 2008 by rybolov
Post #9678291 on why people don’t understand what FISMA really is: Secure64 DNSSEC Press Releases.
“FISMA Act encourages U.S. government agencies to configure their DNS servers to the DNSSEC security specifications set by the National Institute of Standards and Technology, and it has been reported that the federal government’s Office of Management and Budget (OMB) plans to begin enforcing DNSSEC requirements through an auditing process, setting the standard for DNS best practices.”
Yep, if you stamp FISMA on it, people will buy it, maybe in your PR department’s wettest and wildest dreams. Guys, it’s been 6 years, that kind of marketing doesn’t work nowadays, mostly because we spent ourselves into oblivion buying junkware similar to yours and now we’re all jaded.
Now don’t get me wrong, DNSSEC is a good thing, especially this month. But there is something I need to address: FISMA requires good security management with a dozen or so key indicators, not a solution down to the technical level. Allusions to OMB are just FUD, FUD, and more FUD because unless it’s in a memo to agency heads, it’s all posturing–something everybody in this town knows how to do very well. OMB would rather stay out of mandating DNSSEC and maybe give a “due date” once NIST has a final standard.
My one word of wisdom for today: anybody who tries to sell a product and uses FISMA as the “compelling event” has no clue what they’re talking about.
Similar Posts:
Posted in FISMA, What Doesn't Work | 
7 Comments »
Tags: cashcows • compliance • fisma • government • infosec • itsatrap • management • moneymoneymoney • omb • security
July 31st, 2008 at 11:16 am
You put peanut butter in my chocolate.
http://howisthatassuranceevidence.blogspot.com/2008/07/just-buy-this-and-you-compliant.html
August 1st, 2008 at 9:32 am
If they’d said, “NIST’s FISMA guidance encourages …” they would have been correct.
What has always frustrated me about 800-53’s SC-20 and SC-21 is that NIST comes so close to saying to use DNSSEC but stops short of doing so. I can speculate as to the rationale, NIST typically doesn’t want to dictate how to come into compliance and avoids advocating particular products to meet compliance. But this isn’t a product, this is a standard, and NIST has never shied away from specifying the standards we are expected to meet.
On another note, the one thing that gives me pause with DNSSEC is that djbdns refuses to support it. DJ Bernstein has some discussion of why he won’t support it on his website but it’s a bit dated. And if the most secure DNS software available won’t support the DNS security standard then it’s time to reconsider how secure that DNS standard is.
August 1st, 2008 at 11:44 am
I never understood how DNS got three whole security controls all to themselves. Is there any other topic that gets as much face time?
Plus, I know absolutely no one who uses DNSSEC. Most people have never even heard of it. And the only widely used product that I know that can use it is Bind9, I believe. I don’t think that MS has any plans of implementing it in the future.
August 1st, 2008 at 12:56 pm
Maybe, just maybe, we can get a DNSSEC thingie going with a PKI and HSPD-12 thingie, but at that point my head starts spinning with silver-bullet acronyms and I pass out.
August 1st, 2008 at 4:30 pm
One word: Abacus.
August 13th, 2008 at 7:00 pm
As an employee of Secure64 who was involved in creating the press release to which this blog refers, I felt a need to respond.
The press release states that FISMA “encourages” adoption of DNSSEC. Nowhere in the press release does Secure64 state that FISMA “mandates” it, or “requires” it. So the title of your blog reprimands “silly product pushers” for something that hasn’t happened. FYI, this “encouragement” comes from NIST Special Publication 800-81, which specifically recommends deployment of DNSSEC as part of a secure DNS.
Just so you know…
August 13th, 2008 at 7:20 pm
Thanks for the comment SPP. =)
I don’t have any problem with saying that something is encouraged, the problem I have is when you use the same language to *imply* that your product is required. FISMA does not encourage any particular solution–the NIST guidance does. You’re confusing the law with the implementation framework–one is guidance and the other is public law, which you alude to in order to lend your press release more credibility.
As an industry, we have enough FUD about products and standard compliance. Please don’t lower yourself to this level.