“True confidentiality controls are when you have thermite grenades taped to the top of the servers.” –Michael Smith

• When Google Hacking Gets Way Personal
• DojoCon DDoS Video
• Self-Quote Time #2
• Building A Modern Security Policy For Social Media and Government
• The Accreditation Decision and the Authorizing Official

Inspired by Richard Bejtlich.

I both love and hate FISMA and C&A.  FISMA itself is pretty good:  Do security planning and tie security into the budget.  That’s great.

But why are we spending all this effort as a jobs program for security people who have no skills?  I want to see C&A people out of business.  As an infantry squad leader, I didn’t outsource planning my missions to contractors who aren’t going with me to be shot at, so why should the government outsource security planning to somebody who has never even seen the system?

I want to see the government figure out a way to do things cheaper, faster, stronger, so that they can spend money and effort on things that matter more than documentation.  C&A was supposed to do that, but it’s now impossible to do right because you have too many people with oversight of security planning who want to argue semantics.

This is my secret to C&A nirvana:  document and test the shared controls once (read: managerial and operational controls), then get on with your life.  Out of the plethora of controls in 800-53, why don’t you create one common controls package (at the risk of sounding like a complete and utter wonk, this is the purpose of having a General Support System) and then for each system, you say “same as the common controls package, this is how we built this system”.  That should limit the repetition of effort to the minimum.

There is no reason that I should have to test my security policy for each system that I own.  That’s a waste of time.  If we keep reinventing the wheel and playing NIH (Not Invented Here) games, we will continue to hemorrhage cash on rewrites of security plans that do not add security value with the exception of mitigating the “auditor risks”.

The System Security Plan (SSP) for one system should be a small binder (or even *gasp* stapled), not a rehash of every NIST publication, the agency policy, and a bunch of fluff to make it look like you added value.  People who do the latter activities or insist on them need to be put out of business, and that’s why I can appreciate the anti-wonk backlash that Richard promotes.

• Compensating Controls
• Effective Inventory Management
• In This Corner, the Business Reference Model
• One Catalog to Rule Them All
• How to Not Let FISMA Become a Paperwork Exercise

Trout are an indicator species.  You can tell how healthy the stream is by counting the number of trout and the size of trout in a particular section.  Trout need clean water, a certain temperature range of water, protection from predators, unsilted gravel to spawn in, and a food supply like smaller fish and invertebrates.  So absence of trout means absence of these factors, which by extension means an unhealthy stream.

There are even metrics for this: number of trout per mile, pounds of trout per mile, average size of trout.  Biologists do periodic electroshocking surveys to capture the fish, weigh and measure them, then release them back into the current.  All in the interest of gathering metrics.

By extension, a very valuable tool for an information security manager is to be able to gather metrics.  Instead of trout per mile, we are interested in total number of vulnerabilities in our information system.  Instead of pounds of trout per mile, we are interested in the aggregate risk to our enterprise.  And so on.

Enter Certification and Accreditation.  It is not just a paperwork exercise.  There, I said it.  It is, however, risk assessment and the gathering of metrics to determine how well our security program is progressing (or not, as the case may be).

As a whole, the government is spending $FooMillions on certification and accreditation and still losing the battle.  I know one agency that is in the process of getting fleeced year after year by unscrupulous contractors selling C&A solutions.  It seems like everybody I’ve worked with previously on a project who didn’t have the skills to succeed is now being billed to this agency as a subject-matter expert.  For every 30 people the agency hires, they get 5 that are any good, and the 25 bad ones can mess things up faster than the others can fix them.

Why is C&A in such a pathetic state?

Well, this is apparently a little-known secret: C&A is an indicator, not the actual act of providing “adequate security”.  If a security program is in place and effective, then it’s relatively easy to satisfy C&A requirements but not the other way around–it is possible to have a certified and accredited system that does not provide adequate security.

With C&A getting such a high amount of press from the guardians of all things security (NIST, OMB, and GAO), what has happened down among the practitioners is that the focus has switched to the indicators instead of the root cause.  Going back to our trout stream, we’re expecting the pounds of trout per mile to go up based solely on the fact that we keep conducting electroshock surveys.

So how do we succeed at the information security game?  One of the steps is to realize C&A for what it is (a risk assessment and metrics tool for decision-makers, a method to incorporate security into the SDLC) and what it isn’t (a solution to internal agency politics, a comprehensive security program).  The next step is to relearn how to perform risk management, which is where the real intent and purpose of C&A lies.

• Sunday Fish Picture
• Reading Between the Letters G, A, and O
• FISMA Fellows Spring Cohort
• Rebuilding C&A
• Remembering Accreditation