This is all over the blogosphere by now. SecureInfo conducted a survey that said 65% of government workers did not know what FISMA is.

• Dark Reading
• Social Engineering Digest
• Government Technology
• Tech Law

I even started to comment on this in various places, but posts about this survey pop up faster than I can dispel them. All I can say is that SecureInfo needs to pay their publicist a huge bonus for the mileage they got out of the press release.

When it comes to the topic of government workers knowing about FISMA, I’ve already said my piece: unless you’re working in security, senior management, or IT, you don’t need to know what FISMA is. And then there’s SecureInfo which sells among other things… wait for it… security awareness and training solutions.

However, I also have a corollary for you: most of the security practitioners inside the government do not know what FISMA really is. We have books and websites that use such phrases as “FISMA compliance” and “FISMA C&A”. It’s one of “those things that make you say ‘huh?'”

Once again, for the record:

• FISMA is a law. The core components are in this slide (ack for the .ppt, sorry if it offends you. =) ) This isn’t my original work, it’s part of a deck that my friends and I use when we teach for Potomac Forum. Also it doesn’t mention the tasks to specific agencies like NIST. Whatever you do, don’t use this slide in a presentation you are going to give to me later, I’ll walk out of the meeting. =)
• FISMA compliance is easy. It’s very easy to meet the core requirements of FISMA. The question is more one of quality.
• Contractors cannot be FISMA-compliant no matter how hard they try. They do not report to OMB, GAO, or have an IG. They do, however, support government agencies that do.
• The primary goal of FISMA is to tie security into the mission budget and to make the “business owners” (mission owners?) responsible for security instead of the CISO.
• In discussing the details of FISMA, it is very easy to confuse the implementation details/guidance with the actual law.

Makes you want to go read the law, doesn’t it? Here’s the text on the NIST CSRC website.

When you look around at the FISMA critics and compare what they say to the law itself, you come to some interesting conclusions:

• The overwhelming majority of contractors selling solutions around FISMA do not understand what FISMA really is.
• We are teaching each other the wrong way to approach security by thinking that FISMA compliance means “write a bunch of documents”, “make a scorecard”, or even “do C&A”.
• Some people have a conflict of interest with understanding FISMA because they are selling their own “competing” methodology. (one NPO in particular, rhymes with “CANS”)
• There are many charlatans getting rich off everyone else’s ignorance selling both software and services. It is in their best interest to keep you ignorant of what the law is because it helps them sow the seeds of Fear, Uncertainty, and Doubt. I think the only thing saving humanity is the fact that CISOs are skeptical by nature. =)
• Poor little FISMA has been abused by everybody, even those who think they are doing the right thing and quoting the magic phrase of “won’t somebody think of the taxpayers?”

Where do we go from here? Just like I’ve said a bazillion times, the DC security community needs more heretic prophets to show them the way out of the wilderness through a campaign of public awareness and education.

• How to Not Let FISMA Become a Paperwork Exercise
• Do You “Do It” or Do You “Get It”?
• Response to “What is Information Assurance – The Video”
• Ooh, “The Word” is out on S 3474
• Help the Government, Become Literate

There’s a nice article at the Smithsonian about the difference between riddles and mysteries. I received this via the security metrics email list.

Risks and Riddles

This reminds me of intelligence work, for obvious reasons.

There are 2 major types of offensive actions an army can conduct: deliberate attack and movement to contact. (Yes, those of you pedantic enough will bring up hasty attacks and a dozen other scenarios, I’m being a generalist here =) )

In a deliberate attack, you know roughly what the Bad Guys are doing–they are defending key terrain. The task for the intelligence people is to find specific Bad Guy battle positions down the the platoon level. This is a puzzle with a fairly established framework, you are interested in the details.

In a movement to contact, you have a very hazy idea that there are Bad Guys out there. You move with an eye towards retaining flexibility so that you can develop the situation based on what you learn during the mission. The task for the intelligence people is to determine the overall trend on what the Bad Guys are doing. This is a mystery, and you’re more concerned with finding out the overall direction than you are with the specifics–they’ll get lost due to “friction” anyway.

Now translated to information security, there is some of what we know about the Bad Guys that is static and therefore more of a puzzle–think about threats that have mature technologies like firewalls, Anti-virus, etc to counter them. Solutions to these threats are all about products.

On the other hand, we have the mysteries: 0-day attacks, covert channels, and the ever-popular insider threat. Just like a well-established military has problems understanding the mystery that is movement to contact, information security practitioners have problems responding to threats that have not been well-defined.

So information security, viewed in the light of puzzle v/s mystery becomes the following scenario: how much time, effort, and money do we spend on the puzzles versus how much time do we spend on mysteries? The risk geek in me wants to sit down and determine probabilities, rate of occurance, etc in order to make the all-important cost-benefit-risk comparison. But for mysteries I can’t, by definition of what a mystery is, do that, and our model goes back to peddling voodoo to the business consumers.

• It’s a Problem of Scale!
• The 10 CAG-egorically Wrong Ways to Introduce Standards
• Trouble Tickets
• Web 2.0 and Social Media Threats for Government
• MOUT and Risk Management

Two months ago, OMB released Memorandum 07-11 which established the authority for government-wide hardening standards for Windows products. It’s a very good thing in my opinion.

However, I’m beginning to see the start of the side effects. I have vendors already that are beating down my door trying to sell me compliance solutions that will help me meet this “oh-so-very-important standard”. I think they missed the other things I’ve had to say about compliance. The one worry that I have is that people will hit their systems with whatever technical policy compliance tool and think that they don’t have to do anything else. I think really that’s the one big problem I have with this entire class of products–they present themselves as the cure-all for all the security problems that an organization could have.

Knowing the people from NIST, it’s the classic problem that they have: They issue guidance and people blindly follow it even though it’s contradictory and not smart security. The best part is when people offer “NIST-Compliant” solutions (I take that out of our marketing material whenever I find it and then take the time to educate people on why it’s wrong) which are at best, “Our interpretation of the guidelines with numerous assumptions” and think that this is all that an organization should do security-wise. Well, the catch is that NIST, compliance frameworks, and vendors can’t anticipate every situation, so at the most what they’re offering is a 75% solution. If you go back to both NIST and OMB, they will tell you to make a decision based on a cost-benefit-risk comparison.

My friend Art Chantker from The Potomac Forum has an executive breakfast on the 24th with a good host of speakers–OMB, NIST, MicroSoft, and US Air Force. I’ll be there, just for the simple fact that I can refute claims later when somebody offers me yet another compliance solution. =)

This whole unified standard business was started by the US Air Force who very simply decreed that you wouldn’t connect a windows system to the network until it met the technical standards. Hmmm, wonder where they got the idea for a technical standard? This isn’t new, DoD has been doing it for years. I guess finally the clueful people got together and decided to make the migration to Vista a chance to get STIGs implemented in the civilian agencies.

• Some Comments on SP 800-39
• Speaking in July/August
• Core Belief #4 — Compliance is a Dead-End
• Special Publication 800-53 Revision 3 Workshop
• Opportunity Costs and the 20 Critical Security Controls

Personnel turnover has to be the bane of life as a contractor in the DC area. As soon as you get somebody hired and trained, they’re out the door, taking the life of the project that they started with them. I think the average is less than a year.

I’m really rare. I’ve worked with the same company for 4.5 years. That’s an eternity in the environment I’m in. Granted I took a “little vacation” to “someplace sunny” in 1994, but still, I came back.

There are a couple of reasons that we have such a high turnover rate in the area:

• The demand is high and the supply of good security people is low. That means that the salaries are going up just as fast.
• Because salaries are so high, there is a very sizeable gap between entry-level positions and the top positions. HR raise formulas don’t compensate for this, so the only way to get a good salary increase year after year is to job-hop.
• Key personnel change at your company? No problem, you can very easily land somewhere more friendly. There isn’t much encouragement to stick around and work out your differences.

Like I say all the time, there are 2 job markets for me as a security professional: DC and the rest of the world.

As for why I’ve been at the same place for over 4 years, well, I hop around from project to project and site to site inside the company. In some ways, I’m letting the staffing burn rate make opportunities for me.

• Backhanded Compliments
• Tangling with the Clearance Monsters
• A Little Advice From Mike and Lee
• Milestones
• Taking a Cue From Hermey the Elf

It seems like the last month people have been relying on me as the resident curmudgeon.  I’m a little outspoken on how I feel, so it’s like people expect me to sit in a closet and they throw me slow-moving softballs so I can hit them out of the park.  I get the feeling that people are using me to say no to things that they think are wrong and they just need confirmation from somebody else.

I get all the open-ended questions like the following:

• So Mike, how do you feel about us using $foo tool and providing this as a service for free?
• So Mike, we want to do this project and break all the security rules.  Will you support us in it?
• So Mike, can we put client networks in this area that we have no control over who goes into and out of?
• So Mike, can we connect $bar network to $baz network and they talk back and forth even though they’re clients that are not supposed to know each other exists?

I mean, how much of a crotchety old jerk does everybody think I am? =)   And still, I’m good for one lengthy email rant every week or so.

• How I Became the Owner of Two Rogue WiFi APs
• What the Government Looks for in a Product
• My New Fan Club
• My System Environment
• Combatting Tool Creep

I finally got an EZPass for the Dulles Tollroad.  It cut my commute down from 45 minutes to 25 minutes–it’s complete magic.

However, in amongst all the other material that comes with the transponder there is a privacy policy about disclosure of your EZPass records.  Go read it and you’ll understand when I say this:  Don’t put a bulleted list of people in your privacy policy unless you disclose PII to them because it’s too easy to misunderstand!!

I had to read the policy at least 3 times before I realized that they only release with a court order.   I guess we should just chalk it up as a lesson learned in “don’t write it this way”.

• Do You Know What FISMA Is?
• RealID V/S Court Security Improvement Act of 2007
• Remembering Accreditation
• When the News Breaks, We Fix it…
• Civilians Ask “What’s With All the Privacy Act Kerfluffle?”