Signs of the pre-election slowdown are around us, and I’m definitely starting to feel it.

For those of you outside the beltway, it breaks down like this:  people aren’t willing to make any long-term decisions  or start any long-term projects because they will be overruled in a couple of months after the elections and as election platforms meet reality.  Typically this happens once most of the political appointees are in-place, and I have a feeling that early 2009 is going to be much fun, no matter who wins the presidency.

Now when the current president took charge of the executive branch, he issued a 5-point plan called the President’s Management Agenda.  You can check out the PMA on the OMB website.  And yes, E-Government is one of the 5.  You can expect something similar under the new administration.

As a parting shot, you know it’s a slowdown when you see contracts that will be awarded in November but the work doesn’t start until April.  =)

Lame Ducks Frozen in the Ice photo by digitalART2.

• Election Year Follies
• Got Training?
• Privacy Camp DC–April 17th
• An Open Letter to the Next President of the United States
• Learning GovieSpeak: The Plum Book

This super secret security control is from the unpublished control catalog of an agency we would be foolish to name here.  Oh, darn, you talked me into it, the agency is the Director of National Intelligence – Extralegal Ventures to Rectify Information Technology Hacks, Incursions and Numbskulls Gabbing (DNI-EVRYTHING):

PS-1337 PERSONNEL SANITIZATION AND DISPOSAL

Control:
The organization sanitizes information system personnel prior to disposal or release for burial.

Supplemental Guidance:
Sanitization is the process used to remove information from information system personnel such that there is reasonable assurance, in proportion to the confidentiality of the information, that the information cannot be retrieved, recovered or extraordinarily renditioned. Sanitization techniques, including clearing, purging, and destroying personnel information, prevent the disclosure of organizational information to unauthorized individuals when personnel are disposed. The organization uses its discretion on sanitization techniques and procedures for personnel containing information deemed to be in the public domain or publicly releasable, or deemed to have no adverse impact on the organization or individuals if released for reuse or disposed. The Black Operations For the Homeland (BOFH) provides personnel sanitization guidance and maintains a listing of approved sanitization procedures in their publication “Leave No Incriminating Evidence (or Where Jimmy Hoffa Went) Directive and BBQ Cookbook”.

Control Enhancements:
(1) The organization tracks, documents, and verifies personnel sanitization and disposal actions.
(2) The organization periodically tests sanitization equipment and procedures to verify correct performance.
(3) The organization employs personnel sanitizers (‘cleaners’) who bear an uncanny resemblance to either Harvey Keitel or Jean Reno to perform ad hoc personnel sanitization procedures.
(4) Lbh fubhyq arire gehfg EBG13 rapelcgvba be chg lbhe snvgu va pbafcvenpl gurbevrf. (ROT13 Super-Encrypted)

LOW: Not Selected  MOD: PS-1337(1)(2)  HIGH: PS-1337(1)(2)(3)  MAJESTIC12: PS-1337(1)(2)(3)(4)

• Workin’ for the ‘Counters: an Analysis of my Love-Hate Relationship with the CPAs
• Transparency in Government: Just Give us the Data!
• Introducing the NoVa InfoSec Portal
• Communicating the Value of Security Seminar Preview
• Yet More Security Controls You Won’t See in SP 800-53

Any comment or graffiti you want to put up in the comments, go ahead.  Only stipulation is that it’s profanity-free (ack, this coming from me?) and relevant to security in the Federal Government.

Why do this?  Well, to give a voice to those who don’t say anything about what’s going on.  We need to hear more from the “silent infosec majority” who just do their jobs every day.

• Some Thoughts on Comments to My Blog…
• On Government Employees, Culture, and Survivability
• The Press has Me all Confused
• The World Asks: is S.773 Censorship?
• Entrepreneurship and Government 2.0

It’s even funnier when you know about the Frankenchrist album trial just a couple of years later.

• It’s Time for an Exit Strategy
• Life Behind “The Great Big NAT in the Sky”
• I’m Addicted to the Hans Reiser Trial
• Me and Mr Suitcase
• Milestones

You were thinking this was part of the rainbow series, along with the orange book, the red book, and the fuchsia book, weren’t you?

Well, no, security dweebs, we’re on a public policy kick, probably will be until the end of the year (more on that to follow, stay tuned), so you wouldn’t be so lucky.

The Plum Book’s official title is Government Policy and Supporting Positions and basically it’s a huge staffing chart for the Senior Executive Service–the political appointees.  Congress publishes the Plum Book after each presidential election, so for those of us who remember our civics lessons in high school, that would be every 4 years, and the last one was published in 2004.

In fact, you can see the last edition here.  Caveat:  it’s dry, like the uber-trocken Franken white wine that grows in the fields around where I used to live in Germany–so dry that it sucks the moisture right out of you.

Plum Pickin photo by Secret Tenerife

Now why do we care about the Plum Book?  Well, that’s a good question.  Have a look at some of the staffing plans in the plum book, and you’ll see something missing:  Agency CISOs.

Now, I’m not a rocket scientist on org charts, but it seems to me that unless you put CISOs up to where they’re answerable to the agency head, they’re just a cost center inside the IT department with no visibility to the decision-makers.  Once again, we’ve crippled our security staffs like the old-school way of doing things.

On another note, taking a quick straw poll of the agency CISOs that I know, I think about half of them are political appointees, and half of them are GS-15s.  So what’s the difference?

Well, political appointees (SES) are appointed by the President.  They make a better target because they have much more visibility from the higher-ups they are more political in nature.

GS-scale employees are civil service careerists.  Usually these are the guys who have moved up the ranks in the various agencies and know quite a bit of things.

Which is better?  Well, if you want survivability, then GS-scale is the way to go.  If you want to make the most difference, SES is the ticket.

Most of us will never get the choice. =)

• On Government Employees, Culture, and Survivability
• It’s a Problem of Scale!
• Now ISC2 Blogs have an Opinion on FISMA
• Why We Need PCI-DSS to Survive
• Split-Horizon Assessments and the Oversight Effect

My friend, the Wee Bonny Graydon McKee, has his own company and a new blog.  Graydon is from Atlanta, helps us teach with the Potomac Forum, and just finished his Masters in Information Assurance.  Pretty good guy all around.  Check him out at Ascension Risk Management and fire up your RSS reader.

• I Need a Security Blog Scorecard
• Blame it all on John Hughes….
• Data Centers and Hair Driers
• My 2 Obsessions this Week
• On Vacation