This article at SC Magazine is exactly why.  Kudos to Dan Philpott for calling the author on his errors.

Things that go through my mind about articles like this:

• Is it that slow of a news day?  FISMA stuff is always good for a couple yucks when there’s nothing else to talk about.  Looks like somebody needed filler while everybody was flying to Black Hat and DefCon.
• Once again, we’re confusing FISMA the law with the implementation thereof.  Yawn.
• Ack, somebody who likes FDCC.  Actually, I like it too in theory, I just don’t like the implementation.
• “Government has influence when it comes to awareness and will have opportunities to use it.”  Um, yes, it’s the $75B IT budget, flex that muscle wherever you want to get the secure products you want.  Do not underestimate the power of the budget.
• Follow the FISMA Naysayer and spot somebody who’s looking for money.  In this case, it’s Fortify.

Funny thing is that I think I met the guy from Fortify a couple of months ago at a NoVa OWASP meeting for a showing of their fun-but-FUDtastic movie about application security.  You know, you’ve seen the trailer, it looked like this:

There is a way to influence thinking in this town, and writing trash articles like this is not the way to do it.  If Fortify really wants to change the world, I have some ideas on how to do it, but nobody ever asks.  =)

FUD Truck Makes a Delivery photo by crmudgen23.

Guerilla CISO story time:

About 9 months ago, I got a marketing packet from Borderware.  It said that “FooCorp is identified as sending spam” and offered me the opportunity to join their reputation service.

Looking at the materials they sent me, I deduced that none of the source IPs they listed was in our netblock and that what they were referring to was spam using @foocorp.com email addresses as the “from” address.  Um, not a whole lot you can do to stop that, although it does make for some fun abuse@ emails from users who don’t understand how spam works:  “Quit sending me this stuff, I’ll burn down your data center myself!!!111oneoneone”

Anyway, since the whole packet was pure FUD and not really relevant to anything I wanted to do, I sat down and sent an email to their Director of Marketing and CTO:

I know Borderware’s products, we use them in some of our solutions, and you have a good reputation.  Please don’t resort to such a lowbrow marketing scheme because it sullies your brand.

I think Fortify is in the same boat.  They have a good reputation–I have a friend who works for one of their biggest customers, and if he’s cool with it, I am.

But the question for all security companies remains:  how do I sell my product without resorting to spreading FUD everywhere I go?

• More Vendor Craziness
• No, FISMA Doesn’t Require That, Silly Product Pushers
• Comments on SCAP 2008
• Let’s Face it, Half the Security Industry is a Pyramid Scheme
• Splunk Goes After the FISMA Lucre, They’re not Alone

While I was slaving away last week, our friends over at NIST published a new version of SP 800-60.  Go check it out at the NIST Pubs Page.

Now for those of you who don’t know what 800-60 is, go check out my 3-part special on the Business Reference Model (BRM), a primer on how SP 800-60 aligning FIPS-199 with the BRM, and a post on putting it all together with a catalog of controls.

And oh yeah, the obligatory press reference: Government Computer News.

Data Release Show photo by Discos Konfort.

So deep down inside, you have to be asking one question by now:  “Why do we need SP 800-60?”  Well, 800-60 does the following:

• Level-sets data criticality across the Government:  Provides a frame of reference for determining criticality–ie, if my data is more important than this but less than this, then it’s a moderate for criticality.
• Counters the tendency to rate system criticality higher than it should be:  Everybody wants to rate their system as high criticality because it’s the safe choice for their career.
• Protection prioritization:  Helps us point out at a national level the systems that need more protection.
• Is regulations-based:  The criticality ratings reflect laws and standards.  For example, Privacy Act Data is rated higher for confidentiality.

All things considered, it’s a pretty decent systemfor Government use.

Now this is where I have a bit of heartburn with GRC tools and data classification in general in the private sector–they classify the wrong things.  How the vendors (not all of them, there is a ton of variation in implementation) want you to categorize your data:

• HIPAA-regulated
• PCI-DSS-regulated
• SOX-regulated
• All other data types

How your CISO needs to categorize data to keep the business afloat:

• Data that gets you paid:  If you’re a business, your #1 priority is getting money.  This is your billing/AR/POS data that needs to keep going.
• Data that keeps you with a product to sale over the next week:  usually ERP data, stuff that slows down the production line.
• Data that people want to rip off your customers:  hey, almost all the regulated data (PCI-DSS, HIPAA, etc) fits in here.
• Data where people will rip you off:  ie, your internal financial systems.  Typically this is SOX country.

I guess really it comes down to the differences between compliance and risk, but in this case, one version will keep you from getting fined, the other will keep your business running.

• An Open Letter to NIST About SP 800-30
• And in This Corner, Special Publication 800-60
• When the Feds Come Calling
• SP 800-53A Now Finally Final
• On the Dangers of SP 800-26

Post #9678291 on why people don’t understand what FISMA really is:  Secure64 DNSSEC Press Releases.

“FISMA Act encourages U.S. government agencies to configure their DNS servers to the DNSSEC security specifications set by the National Institute of Standards and Technology, and it has been reported that the federal government’s Office of Management and Budget (OMB) plans to begin enforcing DNSSEC requirements through an auditing process, setting the standard for DNS best practices.”

Yep, if you stamp FISMA on it, people will buy it, maybe in your PR department’s wettest and wildest dreams.  Guys, it’s been 6 years, that kind of marketing doesn’t work nowadays, mostly because we spent ourselves into oblivion buying junkware similar to yours and now we’re all jaded.

Now don’t get me wrong, DNSSEC is a good thing, especially this month.  But there is something I need to address:  FISMA requires good security management with a dozen or so key indicators, not a solution down to the technical level.  Allusions to OMB are just FUD, FUD, and more FUD because unless it’s in a memo to agency heads, it’s all posturing–something everybody in this town knows how to do very well.  OMB would rather stay out of mandating DNSSEC and maybe give a “due date” once NIST has a final standard.

My one word of wisdom for today:  anybody who tries to sell a product and uses FISMA as the “compelling event” has no clue what they’re talking about.

• Some Words From a FAR
• When the News Breaks, We Fix it…
• Comments on SCAP 2008
• GAO’s 5 Steps to “Fix” FISMA
• How to Not Let FISMA Become a Paperwork Exercise

Potomac Forum is having a 2-day C&A seminar on August 6th and 7th.  It will be unusually good this time because I won’t be there to drag everybody down–I’ll be on the road for some training.  =)  Anyway, check it out and say hi to my instructors from me.

• C&A Seminar, October 15th and 16th
• Certification and Accreditation Seminar, March 30th and 31st
• Another 2-Day C&A Seminar
• How I Spent Friday
• Building A Modern Security Policy For Social Media and Government

A couple of months before I was activated and went to Afghanistan, I got a briefing from a Special Forces NCO who had done multiple tours in the desert.  One thing he said still sticks in my mind (obviously paraphrased):

“The Afghanis, they live in mud huts, they don’t have electricity, they are stick-people weighing 85 lbs, and to say that we could bomb them into the stone age would be an advancement in their technology level.  But never underestimate these people, they’re survivors.  They’ve survived 35 years of warfare, starting with the Soviets, then they fought a civil war before we arrived on the scene.  Never underestimate their ability to survive, and have respect for them because of who they are.”

Today, I feel the same way about government employees, even more so because it’s an election year:  they’re survivors.

Now time for what I see is the “real” reason why the government is doing badly (if that’s what you believe–opinions differ) at security: it’s all an issue of culture. I have a friend who converted a year ago to a GS-scale employee and took a class on what motivates government employees. Some of these are obvious:

• Pride at making a difference
• Helping people
• Supporting a cause
• Gaining unique experience on a global-class scope
• Job stability
• Retirement benefits

And one thing is noticeably absent: better pay and personal recognition.  Hey, sounds like me in the army.

The Companion Family Plan for Survival at Home photo by Uh … Bob.

Now I’m not trying to stereotype, but you need to know the organizational behavior pieces to understand how government security works. And in this case, the typical government employee is about as survival-aware as their Afghani counterpart.

Best advice I ever heard from a public policy wonk: the key to survival in this town is to influence everything you can get your hands on and never have your name actually written on anything.

In other words, don’t criticize, be nice to everybody even though you think they are a jerk, and avoid saying anything at all because you never know when it will be contrary to the political scene.  The Government culture is a silent culture. That’s why every day amazing things happen to promote security in the Government and you’ll never hear about it on the outside.

One of the reasons that I started blogging was to counter the naysayers who say that FISMA is failing and that the Government would succeed if they would just buy their product for technical policy compliance or end-to-end encryption.  Sadly, the true heroes in Government, the people who just do their job every day and try to survive a hostile political environment, are giving credit to the critics because of their silence.

Which brings me to my point:

Yes, my name is Rybolov and I’m a heretic, but this is the secret to security in the Government:  it’s cultural at all layers of the personnel stack.  Security (and innovation, now that I think about it) needs a culture of openness where it’s allowable to make mistakes and/or criticize.  Doesn’t sound like any government–local, state, or federal–that I’ve ever seen.  However, if you fix the culture, you fix the security.

• Some Thoughts on Comments to My Blog…
• Learning GovieSpeak: The Plum Book
• Cloud Computing and the Government
• In Which Our Protagonist Discovers We Need More Good Public Policy People Who Understand Security
• Auditors, Frameworks, and Philosophy

It’s out.  Check it out in the OMB Memo.  I’ll most likely have something pithy to say when I look at it a little bit more, but it looks like it’s mostly the same as last year.

Anyway, you can get it here, it’s OMB Memo 08-21.

• NIST Security Automation Conference
• FedRAMP: It’s Here but Not Yet Here
• No, FISMA Doesn’t Require That, Silly Product Pushers
• FISMA Report Cards Issued–Response is Rote by Now
• Comments on the Annual OMB Security Report to Congress