In Other News, I’m Saying “Nyet” on S.3474
Posted December 15th, 2008 by rybolovIt’s probably a shocker to most people, but I’m going to recommend that S.3474 be amended or die on the Senate floor like Caesar.
I’ve spent many hours reading over S.3474. I’ve read the press releases and articles about it. I’ve had some very difficult conversations with my very smart friends.
I’ve come to the conclusion that S.3474 as written/proposed by Senators Carper and Leiberman is not the answer to information security in the Government as it has been publicized repeatedly, and that anyone who believes the hype is in for a rude surprise next fall if the bill is ratified and signed.
My thoughts on the matter:
- S.3474 is not what it is being publicized as. The people who write the press releases and the articles would have us believe that S.3474 is a rewrite of FISMA 2002 and that it focuses on continuous monitoring of the security of IT systems, both of which are a good thing. First and foremost, it does not repeal FISMA 2002, and anyone saying that is simply trying to deceive you. S.3474 adds to the FISMA 2002 requirements and codifies the role and responsibility of the agency CISO.
- S.3474 does not solve the core problem. The core problem with security and the Government is that there is a lack of a skilled workforce. This is a strategic issue that a bill aimed at execution of security programs cannot solve by itself.
- S.3474 adds to the existing checklists. People have been talking about how S.3474 will end the days of checklists and auditors. No, it doesn’t work that way, nor is the bill written to reduce the audits and checklists. When you introduce new legislation that adds to existing legislation, it means that you have added more items to the existing checklists. In particular, the provisions pertaining to the CISO’s responsibilities are audit nightmares–for instance, “How do you maintain a network disconnect capability as required by FISMA 2008” opens up a whole Pandora’s Box worth of “audit requirements” which are exactly what’s wrong with the way FISMA 2002 has been implemented.
- S.3474 puts too much of the responsibilities on the CISO. It’s backwards thought, people. The true responsibility for security inside of an agency falls upon that political appointee who is the agency head. Those are the people who make the decisions to do “unsafe acts”.
- S.3474 does not solve any problems that need a solution. Plain and simple, it just enumerates the perceived failings of FISMA 2002. It’s more like a post-divorce transition lover who is everything that your ex-spouse is not. Let’s see… technical controls? Already got them. Requirements for network monitoring? Already got them. 2nd party audits? Already got them. Requirements for contractors? Already got them. Food for thought is that these exist in the form of guidance, does the security community as a whole feel that we need to take these and turn them into law that takes years to get changed to keep up with the pace of technology? There is some kind of segue there into Ranum talking about how one day we will all work for the lawyers.
Of course, this is all my opinion and you can feel free to disagree. In fact, please do, I want to hear your opinion. But first and foremost, go read the bill.
i haz a veto pen photo by silas216
Similar Posts:
Posted in FISMA, Rants, The Guerilla CISO, What Doesn't Work | 3 Comments »
Tags: comments • fisma • FUD • government • infosec • itsatrap • law • legislation • publicpolicy • S3474
December 15th, 2008 at 5:21 pm
I have taken your advice once again and read your latest blog posts.
What more can I say?
You are right rybolov, once again.
This distills everything I have been swirling about for the last several days. You have crystalized (dare I say?) our argument and tied it all up in a neat package.
More on this later.
Very well written!
Vlad
December 16th, 2008 at 1:57 pm
Well put Michael. I agree about a root cause of the current condition being a lack of qualified staff. I also agree that what is really required is more accountability of those agency heads (actually, the Authorizing Officials in ranks) that are far too eager or ignorant in accepting risk on behalf of the agency.
I’d be interested in hearing your thoughts on the emerging Consensus Audit Guidelines (http://tinyurl.com/6on29v).
January 6th, 2009 at 10:45 am
[…] for visiting and happy hacking!Rybolov really struck a note with me (as he usually does) with his blog entry with his decision that S.3474 was a bad thing. It reminds me of a conversation I had with a friend recently. Basically she ask me why bad thing […]