Ever watch a marathon on TV?  There’s the usual formula for how we lay out the day:

• History of the marathon and Pheidippides
• Discussion of the race length and how it was changes so that the Queen could watch the finish
• World records and what our chances are for making one today
• Graphics of the race course showing the key hills and the “sprint to the finish”
• Talk about the womens’ marathon including Joan Benoit and Kathrine Switzer
• Description of energy depletion and “The Wall”
• Stats as the leaders hit the finsh line
• Shots of “back-of-the-pack” runners and the race against yourself

Well, I now present to you the formula for FISMA Report Cards:

• Paragraph about how agencies are failing to secure their data, the report card says so
• History and trending of the report card
• Discussion on changing FISMA
• Quote from Karen Evans
• Quote from Alan Paller about how FISMA is a failure and checklist-driven security
• Wondering when the government will get their act together

Have a read of Dancho’s response to the FISMA Report Card.  Pretty typical writing formula that you’ll see from journalists.  I won’t even comment on the “FISMA compliance” title.  Oh wait, I just did.  =)

Some myths about FISMA in particular that I need to dispell right now:

1. FISMA is a report card:  It’s a law, the grades are just an awareness campaign.  In fact, the whole series of NIST Special Publications are just implementation techniques–they are guidance after all.  Usually the media and bloggers talk about what FISMA measures and um, well, it doesn’t measure anything, it just requires that agencies have security programs based on a short list of criteria such as security planning, contingency planning, and security testing.  It just goes back to the adage that nobody really knows what FISMA is.
2. FISMA needs to be changed:  As a law, FISMA is exactly where it needs to be.  Yes, Congress does have talks about modifying FISMA, but not much has come of it because what they eventually discover after much debate and sword-waving is that FISMA is the way to write the law about security, the problem is with the execution at all levels–OMB, GAO, and the agencies–and typically across organizational boundaries and competing master agendas.
3. There is a viable alternative framework:  Dancho points out this framework in his post which is really an auditors’ plugin to the existing NIST Framework for FISMA.  Thing is, nobody has a viable alternative framework because it’s still going to be the same people with the same training executing in the same environment.

Urban Cell-Phone Fire Myth photo by richardmasoner.  This myth is dispelled at snopes.com.

Way back last year I wrote a blog post about indicator species and how we’re expecting the metrics to go up based on our continual measuring of them.  Every couple of months I go back and review it to see if it’s still relevant.  And the answer this week is “yes”.

Now I’ve been thinking and talking probably too much about FISMA and the grades over the past couple of years, so occassionally I come to conclusions .  According to Mr Vlad the Impaler, the report card is a bad idea, but I’m slowly beginning to see the wisdom of it:  it’s an opportunity to have a debate and to raise some awareness of Government security outside of those of us who do it.  The only other time that we have a public debate about security is after a serious data breach, and that’s not a happy time.

I just wish the media would stop with the story line that FISMA is failing because the grades provide recursive evidence of it.

• FISMA Report Cards Issued–Response is Rote by Now
• GAO’s 5 Steps to “Fix” FISMA
• A Funny Thing Happened Last Week on Capital Hill
• Random Thoughts on “The FISMA Challenge” in eHealthcare
• When the Feds Come Calling

I remember it like it was March:  Georgia voluntarily adopted FISMA-esque metrics.  I just found the policy statement for what they’re collecting in 2008.  On a side note, all of Georgia’s security policies feature concepts borrowed from NIST, something I like.

Let’s talk about the scope creep of Government security, shall we?  Fact of the matter is, it’s going to happen, and you’ll get eventually get caught up in FISMA if you’re one of the following:

• State and local government
• Government contractor
• Telco
• Government service provider
• COTS software vendor
• Utilities who own “Critical Infrastructure”

Why do I say this?  Mainly because just like how the DoD is discovering that it can’t do its InfoSec job without bringing the civilian agencies along due to connectivity and data-sharing issues, the Federal Government is coming to the point where it can’t secure its data without involving these outside entities.  Some are providers, but the interesting ones are “business partners”–the people that share data with the Government.

State and local government are the ones to watch for this pending scope creep.  The Federal Government works on the premise that the responsibility to protect data follows wherever the data goes–not a bad idea, IMO.  If they transfer data to the states, the states need to inherit the security responsibility and appropriate security controls along with it.

Now if I’m a contractor and exchange data with the Government, this is an easy fix:  they don’t pay me if I don’t play along with their security requirements.  When a new requirement comes along, usually we can haggle over it and both sides will absorb a portion of the cost.  While this might be true for some state programs, it becomes a problem when there is no money changing hands and the Federal Government wants to levy its security policies, standards, etc on the states.  Then it becomes a revolt against an unfunded mandate like RealID.

There are some indicators of Federal Government scope creep in the Georgia policy.  This one’s my favorite:

The performance metrics will also enhance the ability of agencies to respond to a variety of federal government mandates and initiatives, including the Federal Information Security Management Act (FISMA).

Georgia on my Mind by SewPixie.

• When the Feds Come Calling
• Georgia Modifies and Adopts FISMA Framework
• Why You Should Care About Security and the Government
• Random Thoughts on “The FISMA Challenge” in eHealthcare
• How to Not Let FISMA Become a Paperwork Exercise

CAVEAT:  This document is dangerous!  See this post before you go any further.  You have been warned!

It stands to reason that one of my recurring search strings in my blog stats is people looking for a copy of NIST SP 800-26.  I even have commenters looking for it.  We like commenters enough to give them what they want, don’t we?

So I thought long and hard until my thinker was sore, asked some friends, and puzzled a bit more about why people would be so interested in a document that is, like Latin, dead.

My resident curmudgeon (yes, even a BSOFH needs a role model from time to time), Vlad the Impaler, offered up the suggestion:  That state and local governments need it because they’re usually 5-10 years behind the Federal Government.  Even then, I don’t get it, and with a shrug, I’ll leave it at that.

Anyway, I’ve uploaded the most recent version here (foo.pdf caveat applies).  I got the file in an email from Vlad, so he’s the one you should really thank.  In the spirit of complete irony, this file could become the #1 download for me. =)

CAVEAT:  This document is dangerous!  See this post before you go any further.  You have been warned!

• An Open Letter to NIST About SP 800-30
• SP 800-53A Now Finally Final
• Old Saint NIST: Ho Ho Hold on, what’s this?
• Why You Should Care About Security and the Government
• Some Comments on SP 800-39

I’ve said it a million times before:  I don’t care if you switch to $FooFramework, as long as you have the same people executing it with the same skillset, the results will be the same.  Last week and for the near-term, it’s a new bill to replicate the tenets of FISMA and the NIST framework thereof.

Last week, Representative Langevin introduced HR 5983, the “Homeland Security Network Defense and Accountability Act of 2008”.  Some press on the bill:

• Security Focus
• Committee on Homeland Security

Now the big question for me on this bill (and really, any proposed law) is this:  How does this provide anything above and beyond what is already required by FISMA, OMB policies, and NIST guidelines?  My short analysis:  Not much, and Rep Langevin is just “stirring the pot” with the big spoon of politics.

HR 5983 requires the following:

• Re-establishes the role and staffing requirements for the CIO, including network monitoring
• Testing the DHS networks using “attack-based” protocols
• IG audits and reporting
• Adding responsibility for contractor systems

Again, nothing new here that isn’t required already.  The only benefit to this bill that I see is that if it’s law, the Executive Branch has to request the funding in their budget request and Congress has to (maybe) fund it. It isn’t that DHS doesn’t have the in-house expertise–they own US-CERT.  It’s not that they have a lack of smart people–they own the Security Line of Business.  It’s that there are only so many hours in the day to get things done, and DHS has had lots of work since their creation in 2002.

A little bit of peeking behind the security kimono at DHS is in order.  DHS consists of subagencies, known as Operational Elements, such as TSA, ICE, CBP, etc.  The heads of these agencies are peers to the DHS CIO and have their own CIO and CISO, even though that’s not what they’re called.  See, the OEs do not have to listen to the DHS CIO, and that’s a huge problem.  Last year, DHS made the DHS CIO the budget approver for the OE’s IT budgets, which is a step forward, but still there is much room for improvement.  That’s something that Congress can fix.

Now it just isn’t a “Government IT Security News Day” without a comment from Alan Paller of SANS fame…

“One story is missing from this issue because the press hasn’t picked it up yet. Under Chairman Langevin of Rhode Island, the US House of Representatives Subcommittee on Emerging Threats and Cybersecurity just approved a new bill that changes how security will be measured, at least at the Department of Homeland Security. This is the beginning of the end of the huge waste under FISMA and the start of an era of continuous monitoring and automation. Long overdue. Look for news stories over the coming days.
Alan”

Like I say sometimes, I’m a bear of little brain and a recovering infantryman, but why is the answer to a law to make another law saying the same exactly the same thing.  All I have to say is this:  You’re not on Slashdot, you actually have to read the bill before you comment on it.  I didn’t see anything that supports what Alan’s saying.    =)

Capitol at Sunset by vgm8383.

To me, the very interesting thing about this bill is this provision:

“Before entering into or renewing a covered contract, the Secretary, acting through the Chief Information Officer, must determine that the contractor has an internal information systems security policy that complies with the Department’s information security requirements, including with regard to authentication, access control, risk management, intrusion detection and prevention, incident response, risk assessment, and remote access, and any other policies that the Secretary considers necessary to ensure the security of the Department’s information infrastructure.”

I have an issue with the language of this provision.  It’s one of scope.

But perhaps an explanation is in order.  Most (OK, mabye half or a little bit more, this isn’t a scientific number) government IT systems are contractor-operated.  These contractors have “Government data” on their corporate networks.  Some of this is fairly benign:  contracting collateral, statements of work, staffing plan, bill rates, etc.  Some of this is really bad:  PII, Privacy Act data, mission data, etc.  Some of this is “gray area”: trouble tickets, event data, SIEM data, etc.

Now taking this back to cost-effective, adequate security, what the Langevin bill means is that you’re taking the FISMA framework and applying it to all contractors without any bounds on what you consider within your realm of protection–ie, according to the language of the bill, if I’m any contractor supporting DHS in an outsourcing engagement, you can audit my network, whether or not it has Government data on it.  This is a problem because your oversight cuts into my margins and in some cases does not provide the Government with the desired level of security.

My response as a contractor is the following:

• Increase my rates to compensate for the cost of demonstrating compliance
• Do not bid DHS contracts
• Adopt a policy that says that DHS policies apply to the systems containing government mission data and meta-data
• Charge the Government at Time and Materials for any new requirements that they levy on you for mitigation

Unfortunately, this is a game that the Government will win at with respect to controlling the contractor’s network and lose at with respect to cost.

Good contractors understand the liability of having separation between Government data and their own network.  Back in my CISO role, that was the #1 rule–do not putGovernment data on the corporate network or “cross the streams” (Thanks, Vlad).  In fact, I wrote a whole chunk of blog posts last year about outsourcing, go check them out.  In fact, we would give to the customer anything that could be built in a dedicated mode specifically for them.  The dedicated network sections used the customer’s policy, procedures, standards, and they got to test them whenever they wanted.  In back of that was a shared piece for things that needed large economy of scale, like the STK 8500 and the NOC dashboards to put all the performance data on one screen.

Having said that, some data does need to cross over to the contractor’s network (or, even better, a separate management network) in order to provide economy of scale.  In our case, it was trouble tickets–in order to split field technicians across different contracts to keep them billable, the only cost-effective way to do this is to have tickets go into a shared system.  Any other solution costs the Government a ton of money because they would be paying for full-time field techs to be on-site doing nothing.

The problem is that our guidance on contractor systems is grossly outdated and highly naive.  The big book of rules that we are using for contractor security is NISPOM.  Unfortunately, NISPOM only applies to classified data, and we’re left with a huge gap when it comes to unclassified data.

What we need is the unclassified version of NISPOM.

The NIST answer is in section 2.4 of SP 800-53:

The assurance or confidence that the risk to the organization’s operations, assets, and individuals is at an acceptable level depends on the trust that the authorizing official places in the external service provider. In some cases, the level of trust is based on the amount of direct control the authorizing official is able to exert on the external service provider with regard to the employment of appropriate security controls necessary for the protection of the service and the evidence brought forth as to the effectiveness of those controls. The level of control is usually established by the terms and conditions of the contract or service-level agreement with the external service provider and can range from extensive (e.g., negotiating a contract or agreement that specifies detailed security control requirements for the provider) to very limited (e.g., using a contract or service-level agreement to obtain commodity services such as commercial telecommunications services).

Hmmm, in a classic ploy of stealing lines from my Guerilla CISO Bag-o-Tricks ™, NIST has said “Well, it depends”.  And yes, it depends, but how do you impement that when OMB dictates that what NIST says is THE standard?

• When the Feds Come Calling
• How to Not Let FISMA Become a Paperwork Exercise
• More on Georgia’s FISMA Reporting
• Comments on SCAP 2008
• Random Thoughts on “The FISMA Challenge” in eHealthcare

Second draft of NIST SP 800-39, Managing Risk from Information Systems, an Organization Perspective, is out, go have a read and see what you think. NIST really does welcome and use comments.

When 800-39 first came out, I gave it a quick scan and said to myself “meh, this is a rehash of all the things said elsewhere, especially 800-37. The general consensus between my friends was the same, but that after you get over that initial impression, you realize that the 800-39 Risk Management Framework is the stuff that fills in the gaps between everything and that this is how successful CISOs have been running their shops. One thing to think about is that NIST writes doctrine not technique, so you still have to read between the lines.

Anyway, it’s worth your time to give it a read, then drop your comments to NIST. They love it when you doo….

• Mike’s Guide to Information Security Policy
• Opportunity Costs and the 20 Critical Security Controls
• Some Comments on SP 800-39
• An Open Letter to NIST About SP 800-30
• New SP 800-60 is Out, Categorize Yerselves Mo Better

I always love it when people review the past and find out new things.

But then they cheapen the experience by something like this:  “If the SCADA system would have been 800-53-compliant, then these two deaths wouldn’t have happened”.

Well, where I come from, SSG Smith has a saying:  “If ‘if’ was a ‘fifth’, we would all be drunk”.  Now this colorful phrase basically means in polite-people-speak that you can “what-if” a past situation to death, but it doesn’t really change what happened.

Credit card breach companies, I feel your pain because you deal with this every single time:  “If they would have been PCI-compliant, this wouldn’t have happened”.    =)

• Life in a Zero Defects World
• Preliminary Findings on Cybersecurity Review Now Out
• Thought-Terminating Cliches and Infosec
• Layers Upon Layers of Oversight
• Always Behind