Movie from George Mason professor Paul Strassman on Information Assurance which was digitized and shared forever thanks to Google Movies.

My response to the movie:

This presentation has many problems.

FISMA is not that large of a law.  You can get the text from the NIST website at the following url:
http://csrc.nist.gov/policies/FISMA-final.pdf (16 pages long)

FISMA does not require SP 800-53.  It charges NIST with creating standards for information security.  FIPS 200 dictates that an agency use 800-53 as their baseline security controls.  Once again, we’re confusing the law with the implementation.

The security plan is a vehicle to get people to agree on what the security controls should be, not a post-fact documentation on what security controls that exist.

DIACAP is not the first time that systems have had to be certified.  Prior to this, there was DITSCAP, NIACAP, FIPS 102, and SP 800-37.  I also wonder how we got from SP 800-53 to DIACAP since they are different flavors–civilian agencies v/s DoD.

In certification, you do not certify compliance.  You certify that the controls meet the needs of the business owners.  Those needs might be considerably more relaxed than you think.  For example:  completely air-gapped systems in a SCIF don’t need a sizeable chunk of the control in 800-53.  Compliance is costly because you don’t have the ability to not do something that doesn’t make sense.

The “Hamster Wheel of Pain” that is shown as the DIACAP process is detached from other SDLC activities, which is rapidly becoming one of my pet peeves.  If you do DIACAP divorced from the SDLC, you are creating liarware.

“The DIACAP activities, the certification of the system, is a very involved, complicated, time-consuming, laborious process that nobody has as yet completed.”  It’s so wrong I can’t even begin to explain.

The DAA is not responsible for DIACAP.  The DAA is only a key decision maker.

The DAA does not sign a statement saying that you are secure, they sign a statement saying that the level of risk to the system and to the mission is of an acceptable level.

The CIO does not usually go to the DAA.  The CIO is more likely to be *the* DAA than just about anybody else.

The second half of the movie is general security information, not really IA-specific.

If this is what they teach in the universities around the beltway, no wonder we have an IA constituency who don’t “get it“.

• Some Random Thoughts on C&A SOPs
• Rebuilding C&A
• Feds to Embrace SaaS, End is Nigh for Security!
• Observations on SP 800-37R1
• Mike’s Guide to Information Security Policy

My friends and I will be teaching the NIST Framework for FISMA with the Potomac Forum from July 13th to August 10 in 5 Friday segments.  This is a small (limited to 35) class and is restricted to government employees only because we go down into frightening detail. =)

I always love this series.  The students start out being quiet and expecting us to force-feed them powerpoint slides in the beginning, but by the end, they know the entire IA framework and are very vocal about defending their position on why a certain risk should be accepted or not.  I get all choked up inside to hear people talk about making a cost-benefit-risk decision and giving a system a conditional ATO.

As a side note, I wrote most of the exercises and tell everybody that the actual answer you gave isn’t as important as the logic you used to get there, but really what you should do is pick one answer and be ready to argue. =)

• Always Behind
• FISMA Report Card News, Formulas, and 3 Myths
• FISMA Fellows Spring Cohort
• The Vendors are Already Jumping on the 07-11 Bandwagon
• How I Spent Friday

Review of the latest Trout Bum Diaries over at The Global Flyfisher.  I like these guys, like their style, and I can’t wait to get my own copy. =)

• Friday Flyfishing Post–Trout Bums and Fish Porn
• Rag Worms
• Skip’s Dad
• Sunday Fish Picture
• Falling Springs Branch

Always a fun morning, I did a wireless audit today.  Since my building is full of techies (about 500 of us), they definitely have the ability to install a plethora of rogue wireless access points.  Also since the building is full of techies, they knew the distinct ping of Netstumbler as it found something.  Depending on which floor I’m on, I attract a little audience.

But then again, part of the point in doing this is that knowing that somebody does a little “war walking” is a deterrent.

• Barcode Hacking Process
• You Can Run Backtrack in VMWare
• Et Tu, TIC?
• A Short History of Cyberwar Lookalikes
• How I Became the Owner of Two Rogue WiFi APs

Some zombie movies off YouTube. Knowing the enemy is half of the solution.

• How to Survive a Zombie Attack
• Emergency Broadcast Network
• How to Survive a Zombie Invasion
• How to Survive the Zombie Apocalypse
• Saturday of the Dead

• Wednesday Zombie Post–Zombies on Uncyclopedia
• Training for the Zombie Pandemic
• Wednesday Zombie Blog–Dr Squid
• Wednesday Zombie Post–The Zombies
• Wednesday Zombie Post–Mr T v/s the SAN Zombies

I keep track of what the blogosphere is saying about government security, FISMA, C&A, etc. Some days I get the feeling that I’m the only person who writes about these core subjects, leading me to several theories:

• Nobody knows enough on these themes to blog about it
• Those who know enough to blog can’t write about their job experiences
• Those who know work for the government and are forbidden to blog because they publicly cannot endorse one solution over another
• I’m venturing into uncharted waters of some sort
• I need to be hospitalized for my enthusiasm
• The first rule of FISMA blog club is that you do not talk about FISMA blog club

Anyway, I’m open to comments.

• Do You Know What FISMA Is?
• Once Again, I’m not a Bank!
• It’s All Friggin’ Magic, Mkay?
• C&A Seminar, October 15th and 16th
• In Other News, I’m Saying “Nyet” on S.3474