Very nice article at Federal Times about Office of Management and Budget mandates actually interferring with agencies’ ability to provide effective security.  Of course, I think it’s well-written because it says some of the same ideas that I’ve been saying for awhile now.   =) 

So the question is, does OMB “get it” when it comes to information security?  Well, yes and no, and as a rebuttal, should they?

Let’s look at what OMB does.  In fact, go check out their web site, it has a plethora of knowledge.  It has the following mission statement:

“OMB’s predominant mission is to assist the President in overseeing the preparation of the federal budget and to supervise its administration in Executive Branch agencies. In helping to formulate the President’s spending plans, OMB evaluates the effectiveness of agency programs, policies, and procedures, assesses competing funding demands among agencies, and sets funding priorities. OMB ensures that agency reports, rules, testimony, and proposed legislation are consistent with the President’s Budget and with Administration policies.

“In addition, OMB oversees and coordinates the Administration’s procurement, financial management, information, and regulatory policies. In each of these areas, OMB’s role is to help improve administrative management, to develop better performance measures and coordinating mechanisms, and to reduce any unnecessary burdens on the public.

OK, so they are responsible for management, budget, performance, policy, and acquisition.  Hmm, sounds like the business side of the Government.  Yes, they should be in charge of security, but from the perspective of a good CFO:  that is, they know that it’s important because it’s loss reduction, but they don’t necessarily have the expertise on-hand to go into much more depth than that.

Now OMB is in a squeeze, you need to understand their pressures.  On one hand, their job is to assure compliance with all the laws, directives, policies, etc.  On the other hand, their job is to reduce the cost of the Federal budget.  In my world, these ideas are opposed to each other.

Add some political pressure and some serious security incidents into the mix, and you can easily see why OMB has been managing security by mandates and performance metrics (FISMA reporting).  The mandates are policy statements and the metrics are intended to determine how efficiently agencies are executing their compliance.  Thing is, this makes sense in a compliance-budget squeeze.

Now notice I didn’t bring up risk management anywhere in this post until now?  Well, this is where risk management comes in.  At the current burn-rate for IT security spending in the Government, the way to realize efficiencies and cost savings while still meeting the compliance drivers is to use risk management.  I’ll say this again: without risk management, everything becomes equally important and you have neither effective security nor cost-conscious security.

My big question for you is this:  who is performing true risk management for the Government as a whole?

• It’s not OMB, they just operate as the Government’s CFO
• It’s definitely not GAO, they’re just a dual-person control to keep the executive branch honest
• It’s not NIST, they just write standards and guidelines

The answer is this:  agency CISOs.  The problem with them being the highest level of risk management is the following:

• No sharing of risk with high-level stakeholders (OMB, White House)
• No sharing of risk with risk partners (Congress)
• No risk management at the national-level (strategic view)
• CISOs are given all the responsibility but none of the authority to fix things that really matter
• We all point fingers at each other when something breaks

So, how do we fix this?  That’s a hard one.  We can train OMB to do risk management.  We can extend Lines of Business so that one agency (*cough* DHS *cough*) adopts national-level risk management.  We can create a new organization that’s responsible for government-wide risk management, but then again that doesn’t make sense.

• Lines of Business, Relationships, and Trustability
• Towards Actionable Metrics
• It’s a Problem of Scale!
• An Open Letter to the Next President of the United States
• More on Georgia’s FISMA Reporting

Potomac Forum is holding a 5-Fridays FISMA Fellows Class in May and June.  Of course, I’ll be speaking/teaching and so will some of the other characters you see on my blog.

Hasty Agenda, you can get more info on the Potomac Forum site:

• Day 1:  Introduction, Determining Boundaries, Inventory, and Data Criticality
• Day 2: Controls, 800-53, Security Planning
• Day 3: Security Test and Evaluation, Risk Management
• Day 4: The Entire Process of Certification and Accreditation, CPIC, Accreditation Packages
• Day 5: COOP, Patch Management, and Graduation Ceremony

The one caveat is that it’s open only to Government employees.

• Speaking in July/August
• Another 2-Day C&A Seminar
• NIST Framework for FISMA Dates Announced
• How I Spent Friday
• FISMA Fellows Spring Cohort

Accreditation is the forgotten and abused poor relation to certification.

Part of the magic that makes C&A happen is this:  you have certification which is a verification that all the minimum security controls are in place, and then you have accreditation which is a formal acceptance of risk by a senior manager/executive.  You know what?  The more I think about this idea, the more I come to see the beautiful simplicity in it as a design for IT security governance.  You really are looking at two totally complete concepts:  compliance and risk management.

So far, we’ve been phenomenal at doing the certification part.  That’s easy, it’s driven by a catalog of controls and checklists.  Hey, it’s compliance after all–so easy an accountantcaveman could do it. =)

The problem we’re having is in accreditation.   Bear with me here while I illustrate the process of how accreditation works in the real world.

After certification, a list of deficiencies is turned into a Plan of Action and Milestones–basically an IOU list of how much it will cost to fix the deficiency and when you can have it done by.

Then the completed C&A package is submitted to the Authorizing Official.  It consists of the following things:

• Security Plan
• Security Testing Results
• Plan of Actions and Milestones

The accreditor looks at the C&A package and gives the system one of the following:

• Denial to Operate
• Approval to Operate
• Interim Approval to Operate (ie, limited approval)

And that’s how life goes.

There’s a critical flaw here, one that you need to understand:  what we’re giving the Authorizing Official is, more often than not, the risks associated with compliance validation testing.  In other words, audit risks that might or might not directly translate into compromised systems or serious incidents.

More often than not, the accreditation decision is based on these criteria:

• Do I trust the system owner and ISSO?
• Has my assessment staff done an adequate job at finding all the risks I’m exposed to?
• What is the extent of my political exposure?
• How much do I need this system to be up and operational right now?
• Is there something I need fixed right now but the other parts I’m OK with?

For the most part, this is risk management, but from a different angle.  We’ve unintentionally derailed what we’re trying to do with accreditation.  It’s not about total risk, it’s about audit risk.  Instead of IT security risk management, it becomes career risk management.

And the key to fix this is to get good, valid, thorough risk assessments in parallel with compliance assessments.   That requires smart people.

Smart CISOs out there in Government understand this “flaw” in the process.  The successful ones come from technical security testing backgrounds and know how to get good, valid, comprehensive risk assessments out of their staff and contractors, and that, dear readers is the primary difference between agencies that succeed and those who do not.

NIST is coming partly to the rescue here.  They’re working on an Accreditor’s Handbook that is designed to teach Authorizing Officials how to evaluate what it is they’re being given.  That’s a start.

However, as an industry, we need more people who can do security and risk assessments.  This is very crucial to us as a whole because your assessment is only as good as the people you hire to do it.  If we don’t have a long-term plan to grow people into this role, we will continually fail, and it takes at least 3-5 years to grow somebody into the role with the skills to do a good assessment, coming from a system administrator background.  In other words, you need to have the recruiting machinery of a college basketball program in order to bring in the talent that you need to meet the demand.

And this is why I have a significant case of heartburn when it comes to Alan Paller.  What SANS teaches perfectly compliments the policy, standards, regulations, and complicance side of the field.  And the SANS approach–highly-tactical and very technologically-focused–is very much needed.  Let me say that again:  we need a SANS to train the huge volume of people in order to have valid, thorough risk assessments.

There is a huge opportunity to say “you guys take care of the policy and procedures side (*cough* the CISSP side), we can give you the technical knowledge (the G.*C side) to augment your staff’s capabilities.  But for some reason, Alan sees FISMA, NIST, and C&A as a competitor and tries to undermine them whenever he can.

Instead of working with, he works against.  All the smart people in DC know this.

• The Accreditation Decision and the Authorizing Official
• Security Assessments as Fraud, Waste, and Abuse
• Some Random Thoughts on C&A SOPs
• Rebuilding C&A
• Build a Security Program

#1:  How does a company/organization convert from doing compliance management to doing true risk management?  I think it’s the difference between being good and being great.  There are a couple of non-IT models that we can look at:  Emergency Room care transitioning into long-term care being a good one.

#2:  Compare and contrast the metrics that are collected as part of the annual FISMA reports with the major initiatives that we have on the table.  They don’t add up.

OK, I think it’s time to go fish this weekend, I’m having dreams about LoB initiatives.  Mini-me says I need to do something non-IT/security/$foo for the 8 hours of the day that I’m NOT working.

• Core Belief #4 — Compliance is a Dead-End
• Now ISC2 Blogs have an Opinion on FISMA
• Core Belief #2 — Risk Management Uber Alles
• Comments on the Annual OMB Security Report to Congress
• It’s a Problem of Scale!

Heh, sensationalist title, but you get the point.  There are two worlds out there contained in two reports that came out last week.  And yet, they seem to contradict each other.

Let’s see our combatants, shall we:

In this corner we have GAO.  GAO issued THEIR report as a prepared testimony to Congress.  They’ve delivered it numerous times to various committees, and I dare say that Mr Wilshusen is getting some milage with this report.  Basic summary:  numbers are getting better, but 21 out of 24 agencies do not have a complete information security program.

And in this corner we have OMB.  OMB issued THEIR report as a formal report to Congress.  This is a one-shot annual deal, although afterwords there is bound to be some hearings on it.  Basic summary:  we’re doing pretty well and we’re working to police up the odds and ends even more efficiently.

Now keep in mind these two simple facts:  GAO works for Congress (Legislative Branch), OMB works for the President (Executive Branch).  This is critical to remember, so file it away.

The funniest thing for me as an outside observer to look at is that if you look at the numbers that they report, they’re identical.  A view behind the inner workings of the government:  both groups are working off exactly the same sets of data.

In preparing for this testimony, GAO analyzed agency, IG, Office of Management and Budget (OMB), and GAO reports on information security and reviewed OMB FISMA reporting instructions, information technology security guidance, and information on reported security incidents.   –GAO Report

In other words, GAO used exactly what was reported to OMB but came up with different conclusions.  Some of that is to be expected, it’s the same doers v/s the auditors conflict that’s been going on since the beginning of time, but wow, there is a huge disparity here that we need to account for.

I didn’t catch this with the GAO report, but I noticed it with the OMB report:  229 systems are not categorized, but 94% of these are certified and accredited.  Say what?  How can you tell if the security controls are implemented and the residual risk of the system is at an acceptable level when you have not determined what protection needs you have, much less your requirements?  This is akin to saying that a piece of software has passed through user acceptance testing when the user population doesn’t know what their needs or requirements are.  Now occasionally you don’t know how to classify a system because it breaks our model:  a low-criticality network that serves as the backbone for one highly-critical application, a legacy application that it’s just not worth it to classify because we’re in the process of decommissioning it, etc.

Now as much as I want to stand up and tell you that the agencies have been doing outstanding C&As, I just don’t believe the IGs whey they say that some of them have “satisfactory” C&A processes.  Maybe I’m just a little bit cynical, but that’s the way I call it.  I know some of these agencies, no way would I say “satisfactory” for some of them.

Now as far as the contradicting reports, let’s do a hasty analysis of the current political situation in DC, shall we?  The Executive Branch is controlled by the Republicans (and has been for 7 years), the Legislative Branch is controlled by the Democrats (for only a year), and oh yeah, it’s an election year.  You would expect the Congress-owned GAO to sing songs of woe and the President-controlled OMB to sing songs of praise.

And that, dear readers, is the difference between the two reports.

So in the end of all this, which report is the one true report because the other one is full of lies, damn lies, and statistics?  Well, they’re both just as accurate (they came from the same source data, remember), only from different angles.

The cynic/BSOFH in me says that you need to pull out the OMB report most of the time, especially when it’s time for your annual review, and pull out the GAO report when you need to justify your IT security budget.  But no, none of the CISOs or CIOs I know in the government would do that, would they?   =)

• FISMA: Better if PCI. WTF?
• Comments on the Annual OMB Security Report to Congress
• Reading Between the Letters G, A, and O
• GAO’s 5 Steps to “Fix” FISMA
• OMB Wants a Direct Report

Go check it out. In the mean time, I’ll see if there’s anything fun that I need to comment on. Those of you who know me know that there usually is, so prepare for the storm now.  =)

• William Jackson on FISMA: It Works, Maybe
• Old Saint NIST: Ho Ho Hold on, what’s this?
• NIST Security Automation Conference
• C&A Seminar in August, Instructor-to-Coolness Ratio Goes Up!
• GAO’s 5 Steps to “Fix” FISMA