Posts RSS
Subscribe via Email
Preliminary Findings on Cybersecurity Review Now Out
Posted April 1st, 2009 by rybolov
In a surprise move, the Obama administration is expected to announce abandonment of NIST’s Framework for FISMA in lieu of adopting the Payment Card Industry Data Security Standard (PCI-DSS).
In information leaked to the Guerilla-CISO staff, an undisclosed source deep inside the 60-day cybersecurity review made the following observations:
- Since everybody is complaining that FISMA is failing, the time for change is now while the Government is still in transition chaos.
- The leading metrics support the fact that the Payment Card Industry standards do work.
- There exists a large, relatively inexpensive and certified workforce focused around PCI-DSS. This is preferrable to the expensive, non-certified FISMA compliance workforce.
- Billions of credit card transactions occur every day. How could Visa and MasterCard be wrong?
- WAFs and code review are all we need in a web-enabled Government 2.0 world.
- PCI flip-flops on data encryption and the use of DLP solutions, so do we.
- Since one compliance framework is as good as another, we might as well pool our resources.
- A significant amount of money is spent on FISMA compliance. That would all be eliminated under a PCI compliance framework.
- Technologies such as Scanless PCI can reduce the audit burden on the agencies to a couple bottles of beer and a handshake.
- The House testimony on the effectiveness of PCI-DSS was convincing that it is a viable standard.
In the interests of due diligence in reporting, the Guerilla-CISO staff tried to contact NIST’s Computer Security Resource Center and gained the following unofficial opinion:
“Screw those Obama guys. Where were they when we were trying to create Government 1.0 and the FISMA Framework? They haven’t put in the all-nighters because some yahoo at an agency lost a USB drive full of classified documents–they don’t have the experience to make this call. I bet the administration thinks that they can outsource all responsibility to the cloud and get some ‘security through abstraction’. Talk about gratitude for you, I’m going to go work for the International Standards Organization.”
PCI Plug-and-Play photo by ryan_franklin_az.
Similar Posts:
Posted in IKANHAZFIZMA, Rants | 
9 Comments »
Tags: government • infosec • itsatrap • management • NIST
April 1st, 2009 at 3:28 pm
I’m updating the slides now!
What a fantastic and visionary move to improve the security of Federal systems by outsourcing to a proven compliance regime like PCI-DSS. With PCI-DSS we can all sleep safely knowing we are Heartland(tm) Secure!
April 1st, 2009 at 4:18 pm
Homeland, Heartland…. see the similarity? =)
April 1st, 2009 at 7:36 pm
I bet the NIST guys only agreed to talk to you off the record too.
April 1st, 2009 at 9:40 pm
So, does this mean I can update my DEERS records and shop ebay at the same time?
April 2nd, 2009 at 12:00 am
Ok, does this mean Amazon will get a cage code now to hold my security clearance? How is that going to work in the cloud?
April 2nd, 2009 at 12:00 pm
I smell 27000!!
April 2nd, 2009 at 1:30 pm
I just checked my calendar, you are indeed one day too late. Nice try, you had us going there for a minute. Tell me it ain’t so …
April 6th, 2009 at 9:52 pm
[…] about what the Obama administration is trying to do with cybersecurity. If nothing else, you should read the post for the “unofficial opinion;” it’s hilarious […]
April 7th, 2009 at 12:32 pm
good post! PCI-DSS is the future of the 23rd century. I want more posts. i love your site. thanks
bye.