I remember it like it was March:  Georgia voluntarily adopted FISMA-esque metrics.  I just found the policy statement for what they’re collecting in 2008.  On a side note, all of Georgia’s security policies feature concepts borrowed from NIST, something I like.

Let’s talk about the scope creep of Government security, shall we?  Fact of the matter is, it’s going to happen, and you’ll get eventually get caught up in FISMA if you’re one of the following:

• State and local government
• Government contractor
• Telco
• Government service provider
• COTS software vendor
• Utilities who own “Critical Infrastructure”

Why do I say this?  Mainly because just like how the DoD is discovering that it can’t do its InfoSec job without bringing the civilian agencies along due to connectivity and data-sharing issues, the Federal Government is coming to the point where it can’t secure its data without involving these outside entities.  Some are providers, but the interesting ones are “business partners”–the people that share data with the Government.

State and local government are the ones to watch for this pending scope creep.  The Federal Government works on the premise that the responsibility to protect data follows wherever the data goes–not a bad idea, IMO.  If they transfer data to the states, the states need to inherit the security responsibility and appropriate security controls along with it.

Now if I’m a contractor and exchange data with the Government, this is an easy fix:  they don’t pay me if I don’t play along with their security requirements.  When a new requirement comes along, usually we can haggle over it and both sides will absorb a portion of the cost.  While this might be true for some state programs, it becomes a problem when there is no money changing hands and the Federal Government wants to levy its security policies, standards, etc on the states.  Then it becomes a revolt against an unfunded mandate like RealID.

There are some indicators of Federal Government scope creep in the Georgia policy.  This one’s my favorite:

The performance metrics will also enhance the ability of agencies to respond to a variety of federal government mandates and initiatives, including the Federal Information Security Management Act (FISMA).

Georgia on my Mind by SewPixie.

• When the Feds Come Calling
• Georgia Modifies and Adopts FISMA Framework
• Why You Should Care About Security and the Government
• Random Thoughts on “The FISMA Challenge” in eHealthcare
• How to Not Let FISMA Become a Paperwork Exercise

In amongst all the usual ISC2 spammings, this one should perk the interest of my blog readers:  The Government Information Security Leadership Awards.  Nominations are open until July 25th.

• Downtime
• Business Leadership Training
• AppSec DC Press and Themes
• Stands Alone
• Transparency in Government: Just Give us the Data!

CAVEAT:  This document is dangerous!  See this post before you go any further.  You have been warned!

It stands to reason that one of my recurring search strings in my blog stats is people looking for a copy of NIST SP 800-26.  I even have commenters looking for it.  We like commenters enough to give them what they want, don’t we?

So I thought long and hard until my thinker was sore, asked some friends, and puzzled a bit more about why people would be so interested in a document that is, like Latin, dead.

My resident curmudgeon (yes, even a BSOFH needs a role model from time to time), Vlad the Impaler, offered up the suggestion:  That state and local governments need it because they’re usually 5-10 years behind the Federal Government.  Even then, I don’t get it, and with a shrug, I’ll leave it at that.

Anyway, I’ve uploaded the most recent version here (foo.pdf caveat applies).  I got the file in an email from Vlad, so he’s the one you should really thank.  In the spirit of complete irony, this file could become the #1 download for me. =)

CAVEAT:  This document is dangerous!  See this post before you go any further.  You have been warned!

• An Open Letter to NIST About SP 800-30
• SP 800-53A Now Finally Final
• Old Saint NIST: Ho Ho Hold on, what’s this?
• Why You Should Care About Security and the Government
• Some Comments on SP 800-39

Nice, somebody added up all the security events in Northern Virginia and put them in one place. Not only is this a good idea, but I have no less than half a dozen events happening every month within 2 miles of where I live.  I now have a busy social calendar and I have to manage my “copious amounts of free time”.

Things haven’t been this happening since the Army of the Potomac invaded.

• Learning GovieSpeak: The Plum Book
• Federal CIO Council’s Guidelines on Security and Social Media
• Communicating the Value of Security Seminar Preview
• Jeff Jones and Flameproof Underwear
• Super Secret Security Control You Were Never Meant To See

Oh yes, maybe I ate too much sushi last night, but I’m now adding a LOLCATS section to my blog over in the categories.  Stay tuned for moar.

• Lolcats and QR Codes
• Lolcats, Capital Hill, and a Haiku
• Lolcats Coming to you from the Cloud
• The Authorizing Official and the Lolcat
• LOLCATS, Eric Schmidt, and Privacy

Rmogull of Securosis and Gunnar Peterson claim that GRC is dead.  In my typical global-brained style, I want to cut to the root cause of why GRC is stillborn.

As a group, we need to come to the concensus that half of the security industry is a bunch of spam-sending FUD-mongering dotcom dropouts with MBAs who see the “perfect storm” of money and opportunity that an uncertain-but-necessary niche market brings.  Furthermore, I say we distance ourselves from them because they make the rest of us look bad.

Failed parking meter by cgansen. 

These are the same people who pitched technical policy compliance solutions for SOX which became continuous compliance which begat risk management which begat GRC.  Do we really need all this cr*p?

Look at the warning signs of this half of the industry, these were so true for the dotcom era:

• New companies qnd products you’ve never heard of
• Staff nobody’s ever heard of
• “Trendy” product class that everybody wants to do this year
• Claim to have product purchased by a “Major Financial Institution”
• Is a rebranding of a previously-failing product
• Company was not security-focused last year
• Company and product life-span of ~2 years
• No alignment with other vendors or industry leaders
• Technology is “hoaky”–SIEM solutions using MS Access as the back-end
• Feels “gimmicky”

If you see any of these in a perspective vendor, run away now!  And if you do buy, don’t say I didn’t warn you.

Now, in a past life, SSG Rybolov would say something witty like how people who are used to preventing and detecting fraud should be able to come up with a model to keep people from invading the industry looking for the filthy lucre.  In fact, I think I just might have.  =)

The other half of you all, the non-snake-oil-selling half, is great, keep up the good work and never, ever go to the dark side.

• How to Not Let FISMA Become a Paperwork Exercise
• Engagement Economics and Security Assessments
• An Open Letter to the Next President of the United States
• When the News Breaks, We Fix it…
• “Machines Don’t Cause Risk, People Do!”