In building slides for our ongoing NIST Framework for FISMA class, I put together a deck of the ongoing Government security initiatives.  It’s plenty of stuff to keep you busy.

“Government Security System” Photo by Kahala

These are some of the more interesting initiatives and a brief description of them:

President’s Management Agenda Scorecard:  This is a quarterly red-yellow-green (hmm, wonder why nobody but the military uses black-red-yellow-green) scorecard on the various aspects of the agenda.  Security is represented as some of the values behind the E-Government score.  More specifically, OMB calls out the following in their FISMA report to congress:

To “get to green” under the E-Government scorecard, agencies must meet the following 3 security criteria:

• IG or Agency Head verifies effectiveness of the Department-wide IT security remediation process. (rybolov: Plans of Actions and Milestones)
• IG or Agency Head rates the agency C&A process as “Satisfactory” or better.
• The agency has 90 percent of all IT systems properly secured (certified and accredited). (rybolov: C&A does not always equate to “secured”, but is an indicator)

In order to “maintain green,” by July 1, 2008, agencies must meet the following security and privacy criteria:

1. All systems certified and accredited. (rybolov: same C&A caveat as before)
2. Systems installed and maintained in accordance with security configurations. (rybolov: lots of wiggle room here since it’s the agency’s standard except for the Federal Desktop Core Configuration)
3. Has demonstrated for 90 Percent of applicable systems a PIA has been conducted and is publicly posted. (rybolov:  PIA is a Privacy Impact Assessment.  It gets posted in the Federal Register as a public notification of what the Government is collecting and what the use is)
4. Has demonstrated for 90 percent of systems with PII contained in a system of records covered by the Privacy Act to have developed, published, and maintained a current SORN. (rybolov: System of Record Notice, this is what is filed with the Federal Register)
5. Has an agreed-upon plan to meet communication requirements for COOP and COG. (rybolov: Continuity of Government)

You can view the current scorecard and learn more about it at results.gov.

OMB Management Watch List:  This is a list of “at-risk” projects.  Security is one part of the list of risks, but for the most part this is a list of high-risk projects within the context of a program/project manager.  The security criteria for being on the Watch List are based on on IG assessments of:

• Certification and Accreditation
• Plan of Actions and Milestones
• Privacy Impact Assessment

 You can check out the most recent Watch List at OMB’s website.

Combined Catalog of Controls:  Superseding DoDI 8500.2 (DoD catalog of controls) and DCID 6/3 (intelligence community catalog of controls) with a reinforced SP 800-53.  Process flow would be along SP 800-37.  I’ve talked about this before.

Security Line of Business:  Agencies become subject-matter experts in an area and become a contractor to the other agencies.  Not a new concept, we’ve seen it elsewhere.

Privacy Management:  OMB Memo 07-16 lays out a privacy plan containing the following tenets:

• Breach Notification:  Requires each agency to have a breach notification policy
• SSN Reduction:  Each agency reduces the use of Social Security Numbers where not needed
• PII Reduction:  Restrict the collection of PII where not needed
• Rules of Behavior:  Rules for employees to follow when they deal with PII

SCAP and FDCC:  I’ve covered these in much detail. 

Trusted Internet Connections: This is a plan to reduce the number of Government internet connections to 50.  Even the most ardent OMB supporters have to agree that this is both a fairly arbitrary number, not achiveable in the next several years, and not even really a good idea.  You heard it here first, folks, but conventional wisdom says that 500 is a better, more realistic number for the time being, and that is the “real” number that OMB is considering.  The start of this is OMB Memo 08-05.

Einstein:  Basically a Government-wide IDS and SIEM run by US-CERT.  It’s offered under the Security Line of Business.  The good thing about Einstein is that it allows DHS to correllate events government-wide.

Air Force Cyber Command:  It’s provisional now, doesn’t have a permanent headquarters, and is trying to figure out what its mission is, but it’s here.  Gossip around town is that it’s focused on both defensive and offensive missions, although they pictures are all defensive-based.  There’s some information on their website, but be sure to read between the lines.  =)

Cyber Corps:  Scholarship program for college students (both post-grad and undergrad) with a public service obligation following graduation.  You can find out more here.

SmartBuy:  A GSA-run program to bulk-purchase commercial off-the-shelf software at a high-volume discount.  Think of it as a buyer’s club for software.  SmartBuy has disk-encryption software.  You can get more information on the GSA website.

• Civilians Ask “What’s With All the Privacy Act Kerfluffle?”
• OMB Wants a Direct Report
• An Open Letter to NIST About SP 800-30
• GSA Looking for a Few Good Tools
• In Response to “Cyber Security Coming to a Boil” Comments….

Maybe I’ve been working on slide decks for too long.  That’s why I haven’t been blogging much over the past week:  when you spend 8 hours a day revising and formatting slides, your brain turns to jello.

Then suddenly on Tuesday, it hit me:  the Government’s problem with security is one of scale.  And at this point you all go “Duh, where have you been for the past 200 years?”  And yes, it’s not a problem exclusive to security, it goes hand-in-hand with personnel management, financial management, $foo management, and $bar management

Large-Scale Scaley Carp Photo by radcarper

Now the scale in itself isn’t really the problem, it’s that we don’t have information security models that scale to that level.  And what I mean by that is that each agency is pretty much their own enterprise.  The entire executive branch is one huge federation of independent enterprises (and some of the enterprises are federated, but we’ll ignore that for the time being).  Most of our existing thoughts on information security management are focused on the enterprise, and the only hope to use them is to manage each enterprise separately.

Really, folks, we don’t have information security models that scale up as massively as we need to, and what we’ve been doing is borrowing from other fields, most notably Federal law and public accounting.  Unfortunately for us, these are models based on compliance, not risk management.  Even then, I don’t see the compliance angle going away anytime soon.

Now this is the really big problem:  everybody has some kind of criticism about how the Government runs their information security.  But I don’t see anybody with a viable alternative, nor do I expect to see one because the only people with problems on this scale are large governments.

• Now ISC2 Blogs have an Opinion on FISMA
• Federated Vulnerability Management
• An Open Letter to the Next President of the United States
• NIST’S FISMA Pase II–Who Certifies Those who Certify the Certifiers?
• Massively Scaled Security Solutions for Massively Scaled IT

Interestingly, Splunk has been going after FISMA dollars here lately.  check out the Forbes article, video on YouTube, and their own articles.  I guess there’s another “pig at the trough” (heh, including myself from time to time).

It’s interesting how companies decide to play in the Government market.  It seems like they fall into 2 categories:  companies that have grown to the point where they can sustain the long-term investment with a chance of payoff in 5 years, and companies that are desparate and want a spot at the trough.

To its credit, Splunk seems to be one of the former and not the latter, unlike the hordes of “Continuous Compliance” tools I’ve seen in the past year.

Which brings up the one big elephant in the room that nobody will talk about:  who is making money on FISMA?

This is my quick rundown on where the money is at:

• Large Security Services Firms:  Definitely.  About a quarter of that is document-munging and other jack*ssery that is wasteful, but a good 3/4 of the services are needed and well-received.  Survival tip:  combining FISMA services with other advisory/assessment services.
• Software and Product Vendors:  Yes and no.  Depends on how well they can make that crucial step of doing traceability from their product to the catalog of controls or have a product that’s so compelling that the Government can’t say no (A-V).  Survival tip:  Partner with the large integrator firms.
• Managed Security Service Providers:  Yes, for the time being,  but look at their market getting eaten from the top as US-CERT gets more systems monitored under Einstein and from the bottom as agencies stand up their own capabilities.  Survival tip: US-Cert affiliation and watch your funding trail, when it starts to dry up, you had better be diversified.
• System Integrators:  It’s split.  One half of them take a loss on FISMA-related issues because they get caught in a Do What I Mean with a “Contractor must comply with FISMA and all NIST Guidance” clause.  The other half know how to either scope FISMA into their proposals or they have enough good program management skills to protest changes in scope/cost.  Survival tip:  Have a Government-specific CSO/CISO who understands shared controls and how to negotiate with their SES counterparts.
• 8(a) and Security Boutique Firms:  Yes, depending on how well they can absorb overhead while they look for work.  Survival tip:  being registered as a disadvantaged/woman-owned/minority-owned/foo-owned business means that the big firms have to hire you because their contracts have to contain a certain percentage of small firms.
• Security Training Providers:  Yes.  These guys always win when there’s a demand.  That’s why SANS, ISC2, and a host of hundreds are all located around the beltway.  Survival tip:  trying to absorb government representation in training events and as speakers.

• NIST’S FISMA Pase II–Who Certifies Those who Certify the Certifiers?
• Security Assessment Economics
• More on Georgia’s FISMA Reporting
• Imagine that, System Integrators Doing Security Jointly with DoD
• Introducing the Government’s Great InfoSec Equities Issue

Some things should absolutely sell themselves. In the Mojave desert, the guy to be is the one driving the ice cream truck because everybody is happy to see you.

When it comes to the Government there is one thing that is their lifeblood: they make and trade secrets. And since 2001, every building in DC has become its own semi-autonomous nation-state with X-ray machines and armed guards.

So why is it so hard to sell Data Leakage Prevention (DLP) and Database Activity Monitoring (DAM) solutions to them? I’ve talked to vendors in both solution spaces, and they’ve found that it’s a hard sell to get product in the door.

If anybody needs DAM and DLP, it’s the Gub’mint. I try not to play this game, but if you look at the PII incidents that meet the Washington Post front page threshold, you’ll see that all of them are preventable with either DAM or DLP or both.

Photo by Dru

My thoughts on what’s up:

• Government purchasing lags behind the private sector. Government CPIC works on a 2-year cycle. Keeping in mind that the average life expectancy for a CISO is 2 years, this doesn’t bode well. This is also why it’s so hard to get strategic projects (*cough* redundant data center *cough*) completed.
• If it’s not in the control catalog, it’s hard to justify buying it. It’s the double-edged sword of compliance. Unless I have all the controls in the catalog implemented, I can’t really justify anything not in the catalog, and once I have all of the catalog done, they yank my budget for somebody who doesn’t have the catalog implemented.
• It takes approximately 2 years to get a particular technology into the catalog of controls. If the catalog (SP 800-53) is revised every year, then if NIST thinks that my technology/concept is a good idea, then I still have to wait for the next revision.
• So if you introduce a new technology today, the earliest I could expect to have it implemented is in 4 years, 3 if you’re lucky.
• Selling to the government is long and slow (can we say “heavy on bizdev investment”) but has a big payoff: remember that the Overall IT budget is just shy of $80Bazillionz.

The winning strategies:

1. Partnering up with the larger integrators who can bundle your product with an existing outsourcing contract.
2. Matching up your product description with the catalog of controls. Make it easy for the Government to select your product.
3. Let NIST and Mitre evaluate your product. Seriously. If you’ve got game, flaunt it.
4. Invest in BizDev expecting 4 years before you get a return.

• An Open Letter to the Next President of the United States
• “Machines Don’t Cause Risk, People Do!”
• CSIS and Recommendations
• What the Government Looks for in a Product
• Oooh, DITSCAP to DIACAP is SOOO Hard

“That’s why it’s time to reassess what FISMA should measure.  One model worth considering: the audit guide used by the payment card industry.”

Wow, just wow.  I didn’t know what to say for a couple of minutes…

But here goes.

Guys, seriously, the only time that FISMA gets any airtime at all is this time of the year, when all the reports come out.  The rest of the time, nobody cares unless they’re the CISO’s staff in an agency or they’re trying to pitch a product or service to the government.  Yes, I resemble both of those.

Of course, by now the responses to the annual FISMA reports are getting rote:

• A couple newspaper articles about security in the government sucks.
• Some blog posts about how since the government can’t get their act together, they shouldn’t tell the rest of us what to do.
• GAO and OMB testify in front of congress about what the numbers mean.
• Recursive commentary about how the numbers mean that collecting the numbers is worthless.
• A formal statement from SANS about how FISMA is failing.
• Some techno-geeks chiming in that if only the government would do this one thing that they’re a specialist in, that all of their security problems would go away.
• A plethora of people misunderstand what “that FISMA thing” is, thinking that it’s some report card.
• Everybody forgets about it all until next year.

Even I’m part of that, being a contractor and all who sells security services.

So where am I headed with all this?  Well, just to point out that there are a ton of people out there who get to play armchair quarterback every March about FISMA and security in the government as a whole.  It’s fun, but we’ll forget about it as soon as it’s tax time.

• Lines of Business, Relationships, and Trustability
• The End is Near–FISMA to cost $29B!
• Preliminary Findings on Cybersecurity Review Now Out
• Cage Match: OMB Report V/S GAO Report, Only One Comes Out Alive
• FISMA Report Cards Issued–Response is Rote by Now

Georgia has adopted the NIST IA framework, modified it for local use, and now an executive order requires the gathering and publication of security metrics.

• More on Georgia’s FISMA Reporting
• Reading Between the Letters G, A, and O
• Indicator Species
• On the Dangers of SP 800-26
• Some Comments on SP 800-39