I’ve touched on this about a bazillion times, let me start today with a very simple statement:  due to the scale of the US Government, we cannot find enough skilled security people.

Part of the problem is that good security people need to know the following skills:

• IT technology: since the data more often than not is in a computer, you need to understand them
• People technology: policies and procedures for managing people
• Business sense:  understanding that you’re supporting business goals
• And for Government:  politics

Back when I was PFC Rybolov, my battalion commander told me something along the lines of “The intelligence world is a hard job, you have to be able to out-infantry the infantry, out-mechanic the mechanics, out-radio the radio guys, and you need to know a language.”  Security is pretty much the same thing–you have to out-techie the techies, out-business the MBAs, and out-jerkify the auditors.  =)

Sound complicated?  Yes, it is, and it’s hard to find people who can do all this.  IT is an employment niche, IT security is a niche to a niche.  And there isn’t enough people who have the experience to do it.

So how do we mitigate the staffing shortage?  Here is what we are doing today in the Government:

• CyberCorps scholarship program for undergrads and graduate students with a minimum government service obligation.
• Using other career fields in “crossover roles”–yes, accountants can be used for some light security tasks.  Some things that we think of as security are really Quality Assurance and Change Control jobs that we have a vested interest in making work.
• Using contractors in some roles such as ISSO, ISSM, etc.
• Automation as much as possible.  Technical is easier, the policy and procedures side takes longer.  What you’ll find out eventually is that good IT management is good security management.
• Hanging on methodologies to “automate” the process side of security.

Now this is cool and all, but it’s hard to sustain and really hard to justify as a long-term solution.  In order to support the Government, we need to create more people.  Cybercorps is a start, but the need is so much larger than the supply that we have to consider better ways to create Government security dweebs.

Do we need Security Awareness and Training?  Yes we do, but much more than what is being provided (think system administrator training and procurement specialist training, not end-user training), and as an internal recruiting pipeline.  Still, I don’t think that we can recruit enough people to “the dark side” and that we need to look outside the Beltway for people.  Problem is that DC is such an insular community and we don’t speak the same language as the rest of the world.

• NIST’S FISMA Pase II–Who Certifies Those who Certify the Certifiers?
• A Short History of Cyberwar Lookalikes
• Security Assessments as Fraud, Waste, and Abuse
• Cloud Computing and the Government
• In Response to “Cyber Security Coming to a Boil” Comments….

The perpetual draft document, SP 800-53A, has been officially released after 3 years.  Check out the announcement from NIST here.

Now the interesting thing to me is that NIST is working with some other players (DNI comes to mind) on reference implementations of 800-53A.  This is big, so big that I can’t add enough hyperbole to it.

Why do they need to do reference implementations?  Well, because by itself, SP 800-53A is dangerous if it’s given to people who “don’t get it”.  By that what I mean is this:

• SP 800-53 needs tailoring to distill into actual requirements.
• SP 800-53A needs a huge amount of tailoring to distill into test cases/procedures that match the tailoring that you did with 800-53.
• Taken at face value, 800-53 and 800-53A become the source of “death by compliance”.
• If you think the auditors could grill you to death with 800-53, 800-53A gives them tons more material.

Now time for a war story: I worked on a project where the contractor was having a hard time building a security program, mostly because they didn’t have the right staff to get the job done.  The government told the contractor to use 800-53A as a starting point, and 6 months of insanity followed with 13 “security engineers” in a conference room cranking out documentation that had no basis in reality.  At the end of it all, the contractor handed the Government a bill for $1M.

Now don’t get me wrong, I like the ideas behind 800-53A, but the first thing you need to know when you start using it is when you shouldn’t use it:

• Don’t run test procedures on every computer you have, use an automated tool and do spot-checks to validate that the automated tool works.
• Use less test procedures on low-criticality systems.
• “This procedure is conducted as part of the hardening validation process.”
• Common controls are even more important because you do not want the repetition of effort.

And whatever you do, don’t let 800-53A turn your risk management into a compliance activity.  It has all the potential to do that.

US Government Doc’s photo by Manchester Library.

• OMB Wants a Direct Report
• An Open Letter to NIST About SP 800-30
• Auditors, Frameworks, and Philosophy
• Security Assessments as Fraud, Waste, and Abuse
• Observations on SP 800-37R1

And by “kerfluffle”, I mean these articles:

• GAO Privacy Report
• Technology Liberation Front
• Center for Democracy and Technology
• And how about an analysis of the Privacy Act from DOJ for background reasons?

Well, let’s talk about how privacy and the Government works with Uncle Rybolov (please hold the references to Old Weird Uncle Harold until we’re through with today’s lesson please).

We have a law, the Privacy Act of 1974.  Think about it, what significant privacy-wrenching activities happened just a couple of years prior?  Can we say “Watergate Scandal“?  Can we say “Church Committee“?  Suffice it to say, the early 1970s was an era filled with privacy issues and is where most of our privacy policy and law comes from.  Remember this for later:  this was the 1970’s!

Each of the various sections of the Privacy Act deals with a particular data type.  For instance, Title 13 refers to data collected by the Census Bureau when they’ll go count everybody in 2010.

The Privacy Act talks about the stuff that everybody in the Government needs to know about:  how you’re going to jail if you disclose this information to a third party.  For those of you who have ever been in the military or had to fill out a government form that required your social security number, the light in the back of your head should be going off right now because they all have the warnings about disclosure.

Remember to respect the privacy of the beach huts and chairs photo by Joe Shlabotnik

When it comes to IT security, the Privacy Act works like this:

• You realize a need to collect PII on individuals.
• You do a privacy impact assessment to determine if you can legally collect this data and what the implications of collecting the data are.
• You build rules about what you can do normally with the data once you have collected it.  This is called the “routine use”.
• You write a report on how, why, and about whom you’re collecting this information.  This is known as the “System of Record Notice”.
• You file this report with the Federal Register to notify the public.
• This IT system becomes the authoritative source of that information.

IE, no secret dossiers on the public.  We’ll suspend our disbelief in FISA for a minute, this conversation is about non-intelligence data collection.

Now the problem with all this is that if you stop and think about it, I was 1 year old when the Privacy Act was signed.  Our technology for information sharing has gone above and beyond that.  We can exchange data much much much more quickly than the Privacy Act originally intended.  As a result, we have PII everywhere.  Most of the PII is needed to provide services to the citizens, except that it’s a royal PITA to protect it all, and that’s the lesson of the past 2 years in Government data breaches.

Problems with the Privacy Act:

• The SORN is hard to read and is not easy to find.
• Privacy Act data given to contractors or “business partners” (aka, state and local government or NGOs) does not have the same amount of oversight as it does in the Government.
• Data given to the Government by a third-party is not susceptible to the Privacy Act because the Government did not collect it.  Wow, lots of room for abuse–waterboarding-esque abuse.
• Privacy Act procedures were written for mainframes.  Mainframes have been replaced with clusters of servers.  It’s easy to add a new server to this setup.  Yes, this is a feature.
• If you build a new system with the same data types and routine uses as an already existing SORN, you can “piggyback” on that existing SORN.
• It’s very easy to use the data in a way that isn’t on your “routine use” statement, thus breaking the entire privacy system.

Obviously, at this point, you should have gotten the hint that maybe we need to revise the Privacy Act.  I think GAO and OMB would agree with you here.

So, what alternatives do we have to the existing system?

• Make blanket data types and do a PIA and SORN on them regardless of where that data lies.
• Bend the Paperwork Reduction act and OMB guidance so that we don’t collect as much information.
• Make the Privacy Act more specific on what should be in SORN, PIA, and routine use statements.

To be honest, it seems like most of this is already in place, it just needs to get tuned a little bit so we’re doing the right things.  Once again, the scale of the Government’s IT infrastructure is keeping us from doing the right thing:    there isn’t enough time in the day to do PIAs on a per-server basis or to keep track of every little bit of data.  You have to automate our privacy efforts in some fashion.

And this is why, dear readers, I think the Government needs DLP solutions more than the private sector does.  Too bad the DLP vendors are stuck on credit cards and social security numbers.

• More on Georgia’s FISMA Reporting
• Current Government Security Initiatives
• New SP 800-60 is Out, Categorize Yerselves Mo Better
• Database Activity Monitoring for the Government
• Transparency in Government: Just Give us the Data!

Check out this slideshow and this workshop paper from 2006 on some ideas that NIST and a fairly large advisory panel have put together about certification of C&A service providers.  I’ve heard about this for several years now, and it’s been fairly much on a hiatus since 2006, but it’s starting to get some eartime lately.

The interesting thing to me is the big question of certifying companies v/s individuals.  I think the endgame will involve doing both because you certify companies for methodology and you certify people for skills.

This is the problem with certification and accreditation services as I see it today:

• Security staffing shortage means lower priority:  If you are an agency CISO and have 2 skilled people, where are you going to put them?  Odds are, architecture, engineering, or some other high-payoff activity, meaning that C&A services are candidates for entry-level security staff.
• Centralized v/s project-specific funding:  Some agencies have a “stable” of C&A staff, if it’s done wrong, you end up with standardization and complete compliance but not real risk management.  The opposite of this is where all the C&A activities are done on a per-project basis and huge repetition of effort ensues.  Basic management technique is to blend the 2 approaches.
• Crossover of personnel from “risk-avoidance” cultures:  Taking people from compliance-centric roles such as legal and accounting and putting them into a risk-based culture is a sure recipe for failure, overspending, and frustration.
• Accreditation is somewhat broken:  Not a new concept–teaching business owners about IT security risk is always hard to do, even more so when they have to sign off on the risk.
• C&A services are a commodity market:  I covered this last week.  This is pivotal, remember it for later.
• Misinformation abounds:  Because the NIST Risk Management Framework evolves so rapidly, what’s valid today is not the same that will be valid in 2 years.

So what we’re looking at with this blog post is how would a program to certify the C&A service providers look like.  NIST has 3 viable options:

• Use Existing Certs: Require basic certification levels for role descriptions.  DoD 8570.1M follows this approach.  Individual-level certification would be CAP, CISSP, CG.*, CISA, etc.  The company-level certification would be something like ITIL or CMMI.
• Second-Party Credentialing:  The industry creates a new certification program to satisfy NIST’s need without any input from NIST.  Part of this has already happened with some of the certifications like CAP.
• NIST-Sponsored Certification:  NIST becomes the “owner” of the certification and commissions organizations to test each other.

Now just like DoD 8570.1M, I’m torn on this issue.  On one hand, it means that you’ll get a higher caliber of person performing services because they have to meet some kind of minimum standard.  On the other hand, introducing scarcity means that there will be even less people available to do the job.  But the big problem that I have is that if you introduce higher requirements on commodity services, you’re squeezing the market severely:  costs as a customer go up for basic services, vendors get even less of a margin on services, more charlatans show up because you’ve tipped over into higher-priced boutique services, and mayhem ensues.

Guys, I’m not really a rocket scientist on this, but really after all this effort, it seems to me that the #1 problem that the Government has is a lack of skilled people.  Yes, certifying people is a good thing because it helps weed out the dirtballs with a very rough sieve, but I get the feeling that maybe what we should be doing instead is trying to create more people with the skills we need.  Alas, that’s a future blog post….

However, the last thing that I want to see happen is a meta-game of what’s going on with certifications right now–who certifies those who certify?  I think it’s a vicious cycle of cross-certification that will end up with the entire Government security industry becoming one huge self-licking ice cream cone.  =)

• Now ISC2 Blogs have an Opinion on FISMA
• When the Feds Come Calling
• Splunk Goes After the FISMA Lucre, They’re not Alone
• Comments on SCAP 2008
• “Machines Don’t Cause Risk, People Do!”

Ever watch a marathon on TV?  There’s the usual formula for how we lay out the day:

• History of the marathon and Pheidippides
• Discussion of the race length and how it was changes so that the Queen could watch the finish
• World records and what our chances are for making one today
• Graphics of the race course showing the key hills and the “sprint to the finish”
• Talk about the womens’ marathon including Joan Benoit and Kathrine Switzer
• Description of energy depletion and “The Wall”
• Stats as the leaders hit the finsh line
• Shots of “back-of-the-pack” runners and the race against yourself

Well, I now present to you the formula for FISMA Report Cards:

• Paragraph about how agencies are failing to secure their data, the report card says so
• History and trending of the report card
• Discussion on changing FISMA
• Quote from Karen Evans
• Quote from Alan Paller about how FISMA is a failure and checklist-driven security
• Wondering when the government will get their act together

Have a read of Dancho’s response to the FISMA Report Card.  Pretty typical writing formula that you’ll see from journalists.  I won’t even comment on the “FISMA compliance” title.  Oh wait, I just did.  =)

Some myths about FISMA in particular that I need to dispell right now:

1. FISMA is a report card:  It’s a law, the grades are just an awareness campaign.  In fact, the whole series of NIST Special Publications are just implementation techniques–they are guidance after all.  Usually the media and bloggers talk about what FISMA measures and um, well, it doesn’t measure anything, it just requires that agencies have security programs based on a short list of criteria such as security planning, contingency planning, and security testing.  It just goes back to the adage that nobody really knows what FISMA is.
2. FISMA needs to be changed:  As a law, FISMA is exactly where it needs to be.  Yes, Congress does have talks about modifying FISMA, but not much has come of it because what they eventually discover after much debate and sword-waving is that FISMA is the way to write the law about security, the problem is with the execution at all levels–OMB, GAO, and the agencies–and typically across organizational boundaries and competing master agendas.
3. There is a viable alternative framework:  Dancho points out this framework in his post which is really an auditors’ plugin to the existing NIST Framework for FISMA.  Thing is, nobody has a viable alternative framework because it’s still going to be the same people with the same training executing in the same environment.

Urban Cell-Phone Fire Myth photo by richardmasoner.  This myth is dispelled at snopes.com.

Way back last year I wrote a blog post about indicator species and how we’re expecting the metrics to go up based on our continual measuring of them.  Every couple of months I go back and review it to see if it’s still relevant.  And the answer this week is “yes”.

Now I’ve been thinking and talking probably too much about FISMA and the grades over the past couple of years, so occassionally I come to conclusions .  According to Mr Vlad the Impaler, the report card is a bad idea, but I’m slowly beginning to see the wisdom of it:  it’s an opportunity to have a debate and to raise some awareness of Government security outside of those of us who do it.  The only other time that we have a public debate about security is after a serious data breach, and that’s not a happy time.

I just wish the media would stop with the story line that FISMA is failing because the grades provide recursive evidence of it.

• FISMA Report Cards Issued–Response is Rote by Now
• GAO’s 5 Steps to “Fix” FISMA
• A Funny Thing Happened Last Week on Capital Hill
• Random Thoughts on “The FISMA Challenge” in eHealthcare
• When the Feds Come Calling

Interestingly, Splunk has been going after FISMA dollars here lately.  check out the Forbes article, video on YouTube, and their own articles.  I guess there’s another “pig at the trough” (heh, including myself from time to time).

It’s interesting how companies decide to play in the Government market.  It seems like they fall into 2 categories:  companies that have grown to the point where they can sustain the long-term investment with a chance of payoff in 5 years, and companies that are desparate and want a spot at the trough.

To its credit, Splunk seems to be one of the former and not the latter, unlike the hordes of “Continuous Compliance” tools I’ve seen in the past year.

Which brings up the one big elephant in the room that nobody will talk about:  who is making money on FISMA?

This is my quick rundown on where the money is at:

• Large Security Services Firms:  Definitely.  About a quarter of that is document-munging and other jack*ssery that is wasteful, but a good 3/4 of the services are needed and well-received.  Survival tip:  combining FISMA services with other advisory/assessment services.
• Software and Product Vendors:  Yes and no.  Depends on how well they can make that crucial step of doing traceability from their product to the catalog of controls or have a product that’s so compelling that the Government can’t say no (A-V).  Survival tip:  Partner with the large integrator firms.
• Managed Security Service Providers:  Yes, for the time being,  but look at their market getting eaten from the top as US-CERT gets more systems monitored under Einstein and from the bottom as agencies stand up their own capabilities.  Survival tip: US-Cert affiliation and watch your funding trail, when it starts to dry up, you had better be diversified.
• System Integrators:  It’s split.  One half of them take a loss on FISMA-related issues because they get caught in a Do What I Mean with a “Contractor must comply with FISMA and all NIST Guidance” clause.  The other half know how to either scope FISMA into their proposals or they have enough good program management skills to protest changes in scope/cost.  Survival tip:  Have a Government-specific CSO/CISO who understands shared controls and how to negotiate with their SES counterparts.
• 8(a) and Security Boutique Firms:  Yes, depending on how well they can absorb overhead while they look for work.  Survival tip:  being registered as a disadvantaged/woman-owned/minority-owned/foo-owned business means that the big firms have to hire you because their contracts have to contain a certain percentage of small firms.
• Security Training Providers:  Yes.  These guys always win when there’s a demand.  That’s why SANS, ISC2, and a host of hundreds are all located around the beltway.  Survival tip:  trying to absorb government representation in training events and as speakers.

• NIST’S FISMA Pase II–Who Certifies Those who Certify the Certifiers?
• Security Assessment Economics
• More on Georgia’s FISMA Reporting
• Imagine that, System Integrators Doing Security Jointly with DoD
• Introducing the Government’s Great InfoSec Equities Issue