Response to “What is Information Assurance – The Video”
Posted June 18th, 2007 by rybolovMovie from George Mason professor Paul Strassman on Information Assurance which was digitized and shared forever thanks to Google Movies.
My response to the movie:
This presentation has many problems.
FISMA is not that large of a law. You can get the text from the NIST website at the following url:
http://csrc.nist.gov/policies/FISMA-final.pdf (16 pages long)
FISMA does not require SP 800-53. It charges NIST with creating standards for information security. FIPS 200 dictates that an agency use 800-53 as their baseline security controls. Once again, we’re confusing the law with the implementation.
The security plan is a vehicle to get people to agree on what the security controls should be, not a post-fact documentation on what security controls that exist.
DIACAP is not the first time that systems have had to be certified. Prior to this, there was DITSCAP, NIACAP, FIPS 102, and SP 800-37. I also wonder how we got from SP 800-53 to DIACAP since they are different flavors–civilian agencies v/s DoD.
In certification, you do not certify compliance. You certify that the controls meet the needs of the business owners. Those needs might be considerably more relaxed than you think. For example: completely air-gapped systems in a SCIF don’t need a sizeable chunk of the control in 800-53. Compliance is costly because you don’t have the ability to not do something that doesn’t make sense.
The “Hamster Wheel of Pain” that is shown as the DIACAP process is detached from other SDLC activities, which is rapidly becoming one of my pet peeves. If you do DIACAP divorced from the SDLC, you are creating liarware.
“The DIACAP activities, the certification of the system, is a very involved, complicated, time-consuming, laborious process that nobody has as yet completed.” It’s so wrong I can’t even begin to explain.
The DAA is not responsible for DIACAP. The DAA is only a key decision maker.
The DAA does not sign a statement saying that you are secure, they sign a statement saying that the level of risk to the system and to the mission is of an acceptable level.
The CIO does not usually go to the DAA. The CIO is more likely to be *the* DAA than just about anybody else.
The second half of the movie is general security information, not really IA-specific.
If this is what they teach in the universities around the beltway, no wonder we have an IA constituency who don’t “get it“.
Similar Posts:
Posted in DISA, FISMA, NIST, What Doesn't Work | 3 Comments »