No big surprise, I’m a contractor who operates outsourced government IT systems. As a result, I get assessed and audited more than anybody else in the world (yes, hyperbole added). Anyway, I’m going to talk about what I give to my customers in the spirit of “object reuse”, it might come in handy for other people in the future.

I provide the following items to our account teams:

• Pre-sales: Document explaining how the operations group handles security that can be dropped into a proposal. This is freely-available because it doesn’t open up the cookie jar too much, and proposals to the government are available with the right requests. Modified version is included below.
• Pre-sales: Traceability matrix to delineate controls provided as part of service. This is released only to the capture/account team.  This is a work-in-progress because it’s a big bite to chew.
• Post-sales: Security controls document covering shared controls that can be dropped into a system security plan. You can get this in electronic form with a signed NDA.
• Post-sales: Addendum to Security Controls Document that describes the specifics on hybrid controls for your system.
• Post-sales: Auditor binder with all local policies and evidence for common controls. You can look but you can’t take it with you.

This is the text of the pre-sales security description, remember it’s written for a general-purpose audience:

Security of the Government IT systems and the data at the $FooCorp Operations Center requires cooperation between the Government and $FooCorp for program-specific and hybrid controls not provided by either the Government (security governance, Exhibit 53 filing) or the Operations Center (physical security, personnel security, media protection).

The hosting, monitoring, and management services provided by the state-of-the-art $FooCorp Operations Center are specially designed, configured and managed to meet the special IT security requirements of our Federal customers. The facility supports a FIPS-199 and FIPS-200 moderate control baseline and provides a common controls subset of SP 800-53 for all customers. The Data Center, NOC, and SOC have been audited numerous times by a wide variety of client agencies and their Inspectors General in support of Security Test and Evaluation, Certification and Accreditation, and annual FISMA audits.

Upon client request, $FooCorp can provide the Government with a Security Controls Document that describes the security controls, primarily physical security, in place at the Operations Center. The SCD is designed to be a “drop-in” augmentation for the customers’ system security plans. The Operations Center staff also maintains an audit binder that is for on-premises viewing by auditors, C&A staff, or security testers.

Now, taking a look at what I have, basically I’m saying the following points:

• Security controls are a joint responsibility between the Government and $FooCorp.
• I have common controls to save you time and money, you can get the full details after you hire us.
• I have many other customers that are satisfied with my controls.

What I have on my wish-list for the future:

• Being able to provide verification and validation of my common security controls. Yes, a SAS-70 properly scoped fits in here, but I don’t have the budget to make it happen and it will end up being a duplication of effort in most cases where the customer wants to do their own assessment.
• Being able to reuse evaluation results from one customer to to share with other customers. So far, I haven’t gotten any traction to do this because everybody wants to own their assessment results even though it’s a shared control.

• What the Government Looks for in a Product
• How to Not Let FISMA Become a Paperwork Exercise
• Categories of Security Controls in Outsourcing
• Cloud Computing and the Government
• Observations on SP 800-37R1

I had a good conversation this morning with a friend going over what to look for in picking a Manages Security Service Provider.  Since I have this wonderful relationship with our SOC (I’m both their customer and their LANLord), he wanted to know how, what, and where.

Over a year ago when I started getting involved in the managed service business,  I found Carnegie Mellon’s “Outsourcing Managed Security Services” (.pdf caveat).  I recommended that my friend go check it out, and on a lark I had a look at it.  It’s still relevant today.

And yes, Hoff, the report is from the “Networked Systems Survivability Program”.  Stuff that in your pipe and smoke it. =)

The one thing that keeps sticking in the back of my mind is MSSP service offerings.  So let me pick up the torch for Richard Bejtlich a little bit because deep down inside I like his Network Security Monitoring ideas.

Well, let’s say I’m a MSSP.  Not much of a stretch, really.  Now the problem with being a managed services provider is that I’m only as smart as my customers will let me be.  Some things sell themselves:  firewall monitoring and management; anti-virus deployment, monitoring, and management; and log monitoring and management.  Yes, it’s the same-old, tried-and-true security operations.  Some would say “tired”, and I would probably agree with that, too.

But when it comes to selling NSM (or any other new concept) as a service, it’s hard for me to sell.  The reason is that my customers don’t have a NSM problem, they have security, risk management, compliance, and auditor problems and the way that they understand to fix those problems is to outsource them.  Yes, that’s the the customer defining the solution space, but that’s the realpolitik of the market.

For a MSSP offering ala-carte service offerings, I have to frame NSM in a way that does the following:

• The customer can understand what they are getting
• The customer realizes a need for that service
• I’m not beaten on price by my competitors
• The customer’s auditors can understand how we are helping and that we have value

Basically, that’s just sound business, only my problem space is defined as providing an complex solution (security) on top of an already-esoteric solution (IT in general).

• Categories of Security Controls in Outsourcing
• Cloud Computing and the Government
• Lines of Business, Relationships, and Trustability
• Compensating Controls
• Security Assessment Economics

Oooh, there is a committee formed by some notables to provide suggestions to the new President. My thoughts are mixed on this one.

Then Richard Bejtlich gets involved, suggesting Jacquith’s Security Metrics. Yes, that’s part of it.

This is the world according to rybolov and some responses to the various people:

1. What exactly are you trying to measure? When it comes to the FISMA scores, what are we doing except for “Security management through shame?” Metrics are not effective unless they produce something that is actionable. The metrics should be aimed at questions like “Are we getting the kind of security we would expect for as much as we are spending” or “Is our amount of security spending correct for the level of risk that we have” or even “As a nation, where do we need to be putting in additional controls for high-risk activities?”
2. You need a catalog of controls. It’s that simple, not everyone is a rocket scientist when it comes to enterprise risk management, so you need a set of rules to justify the budget. Yes, there is too much time spent doing that thanks to the 5 layers of oversight on where the money is going.
3. Today’s government CIO and CISO serve in an advisory role with Congress micromanaging their budget. Let’s just say that out of all the criteria for selecting representation in Congress, understanding security budgeting isn’t even on the map. Now how do you expect to win in that environment? You can’t continue to beat up the CIOs and CISOs in the executive branch because of decisions made by the legislative branch. You also can’t expect some things that work in the private sector to work in government because the money trail is very different.
4. You will not accomplish anything with the same people doing the same things. Do you think that with the same people doing $FooFramework instead of a FISMA framework you will still be able to succeed? Basic problem is that we have a higher demand for security people than we have clueful people to fill the gaps. As a result, you have to deal with a high percentage of also-rans and charlatans.
5. How do we get the people trained to where they need to be? We have a significant gap in abilities v/s our needs for security people. I’ve talked about this before. http://www.guerilla-ciso.com/archives/270
6. Network Security Monitoring (NSM) practitioners need to figure out how to market to these people as “yes, I’m a Subject Matter Expert and here’s how I fit into your catalog of controls”. In other words, make it easier for people to justify hiring you guys. A *good* FISMA person could sit down in the course of a couple of hours and give you something to trace you back to 800-53 controls and how you satisfy them. In other words, I think Bejtlich has some phenomenal ideas and I’m fairly sold on NSM, but how do I get people to “buy in” when they have all these other ideas competing for people, time, and money?
7. NSM guys need to make contacts with the people who write the framework and convince them that what they do has merit and that the framework should be changed to include the parts of NSM that aren’t already there. Remember my audience is Congress, how do I justify the money to get NSM implemented? Well, I get it added to the rules or I tell people how NSM is implied in the rules.

• Ack! With the Mandates!
• It’s All About Common Controls!
• Do You “Do It” or Do You “Get It”?
• An Open Letter to NIST About SP 800-30
• Core Belief #4 — Compliance is a Dead-End

Great writeup about a cute piece of malware that uses humans to answer CAPTCHAs in exchange for a striptease.  Something about this I think is evilly clever, but I’m just not sure what it is. =)

• Sunday Fish Picture
• Learning From the Intelligence World
• DAM Solutions, Will They Let Me Pick Up Chicks?
• 20 Critical Security Controls: Control-by-Control
• Declan McCullagh and Anne Broache on “Will security firms detect police spyware?”

Tired of complaining about how FISMA doesn’t work? Well, do something about it.

Go to the NIST Publications Announcement List and get extremely low-volume (at the most, 1 post per month) email announcements on *tada* new NIST Publications.

For anything in a draft version, there are instructions on how to give NIST feedback. Now the big problem for them is that the people who have a real interest in making comments are all in the government sector.  They could use valid feedback from people outside the “inner circle” of government security.

In the words of a past leader of mine, “Don’t criticize unless you have suggestions on how to make it better.”  Well, for those FISMA-naysayers (*cough* NPO, rhymes with “CANS” *cough*), this is your chance.

• Do You Know What FISMA Is?
• On Government Employees, Culture, and Survivability
• Remembering Accreditation
• An Open Letter to NIST About SP 800-30
• Old Saint NIST: Ho Ho Hold on, what’s this?

Those cheeky devils over at NIST have an interesting read out in draft form:  NISTIR 7328 (.pdf caveat).  It’s a draft Interagency Report, but in reality it’s a how-to on being assessed and being the assessor.

I’ve given it a glance and it’s all the things that successful Security Test and Evaluation teams have been doing all along.  I know there’s some kind of “take-away” (my MBA phrase for today) that works out in the private sector.

• Help the Government, Become Literate
• How I Do the “FISMA Thang”
• Micro Digital Signatures Howto
• On SP 800-39
• SP 800-53A Now Finally Final