The fun part of this time of the year:  the FISMA Report Armchair Quarterbacks.  Hey, even I fit in there somewhere because right now I’m nowhere near being in a decision-making role for the Government.

Well, today it’s the ISC2 blog talking about FISMA.

So why is it that nobody addresses the huge pink and chartreuse elephant in the room?  The problem is not the metrics, as flawed as they might be.  The problem is not identifying a security baseline, even though that makes sense to have.  The problem is not demonstrating Return on Security Investment (as flawed as  the concept is, and no, I don’t want to debate whether it’s a valid concept, even though we all know it’s not) even though good CISOs try to do that as internal marketing to their management.

This is the primary problem for the Government when it comes to security:  due to the scale of the Federal Government, we do not have enough skilled security people to go around.  Almost all of our governance models are designed around this flaw:

• Catalog of controls to standardize
• Checklists so that less-skilled assessors can
• Varying degrees of automation
• Prioritization of security practitioners’ time

This is why I’m adding “Fast Food Franchises” to the list of models that large-scale security can draw from.  =)  More to come on this topic once I sort out the ideas.

McDonald’s Checklist photo by myuibe

• FISMA Report Card News, Formulas, and 3 Myths
• It’s a Problem of Scale!
• Workin’ for the ‘Counters: an Analysis of my Love-Hate Relationship with the CPAs
• An Open Letter to NIST About SP 800-30
• William Jackson on FISMA: It Works, Maybe

Ever watch a marathon on TV?  There’s the usual formula for how we lay out the day:

• History of the marathon and Pheidippides
• Discussion of the race length and how it was changes so that the Queen could watch the finish
• World records and what our chances are for making one today
• Graphics of the race course showing the key hills and the “sprint to the finish”
• Talk about the womens’ marathon including Joan Benoit and Kathrine Switzer
• Description of energy depletion and “The Wall”
• Stats as the leaders hit the finsh line
• Shots of “back-of-the-pack” runners and the race against yourself

Well, I now present to you the formula for FISMA Report Cards:

• Paragraph about how agencies are failing to secure their data, the report card says so
• History and trending of the report card
• Discussion on changing FISMA
• Quote from Karen Evans
• Quote from Alan Paller about how FISMA is a failure and checklist-driven security
• Wondering when the government will get their act together

Have a read of Dancho’s response to the FISMA Report Card.  Pretty typical writing formula that you’ll see from journalists.  I won’t even comment on the “FISMA compliance” title.  Oh wait, I just did.  =)

Some myths about FISMA in particular that I need to dispell right now:

1. FISMA is a report card:  It’s a law, the grades are just an awareness campaign.  In fact, the whole series of NIST Special Publications are just implementation techniques–they are guidance after all.  Usually the media and bloggers talk about what FISMA measures and um, well, it doesn’t measure anything, it just requires that agencies have security programs based on a short list of criteria such as security planning, contingency planning, and security testing.  It just goes back to the adage that nobody really knows what FISMA is.
2. FISMA needs to be changed:  As a law, FISMA is exactly where it needs to be.  Yes, Congress does have talks about modifying FISMA, but not much has come of it because what they eventually discover after much debate and sword-waving is that FISMA is the way to write the law about security, the problem is with the execution at all levels–OMB, GAO, and the agencies–and typically across organizational boundaries and competing master agendas.
3. There is a viable alternative framework:  Dancho points out this framework in his post which is really an auditors’ plugin to the existing NIST Framework for FISMA.  Thing is, nobody has a viable alternative framework because it’s still going to be the same people with the same training executing in the same environment.

Urban Cell-Phone Fire Myth photo by richardmasoner.  This myth is dispelled at snopes.com.

Way back last year I wrote a blog post about indicator species and how we’re expecting the metrics to go up based on our continual measuring of them.  Every couple of months I go back and review it to see if it’s still relevant.  And the answer this week is “yes”.

Now I’ve been thinking and talking probably too much about FISMA and the grades over the past couple of years, so occassionally I come to conclusions .  According to Mr Vlad the Impaler, the report card is a bad idea, but I’m slowly beginning to see the wisdom of it:  it’s an opportunity to have a debate and to raise some awareness of Government security outside of those of us who do it.  The only other time that we have a public debate about security is after a serious data breach, and that’s not a happy time.

I just wish the media would stop with the story line that FISMA is failing because the grades provide recursive evidence of it.

• FISMA Report Cards Issued–Response is Rote by Now
• GAO’s 5 Steps to “Fix” FISMA
• A Funny Thing Happened Last Week on Capital Hill
• Random Thoughts on “The FISMA Challenge” in eHealthcare
• When the Feds Come Calling

Oh yes, maybe I ate too much sushi last night, but I’m now adding a LOLCATS section to my blog over in the categories.  Stay tuned for moar.

• Lolcats and QR Codes
• Lolcats, Capital Hill, and a Haiku
• Lolcats Coming to you from the Cloud
• The Authorizing Official and the Lolcat
• LOLCATS, Eric Schmidt, and Privacy

OK, I saw this really cool widget on a blog somewhere.  It tests the literacy level of your blog and tells you at what level you write.  Sure, OK, I’ll bite.  Bloggers love bling, dontcha know?

Fortunately for anybody who has eyes, the code that the site gives you to put the widget on your blog contains a SEO-spamming link.  Oh joy, it’s easily removable if you’re halfway knowledgeable.  But you still can use the textbox to feed urls to the machine.

Anyway, in the interest of science and all things egotastical, I submitted some sample security blogs and was highly surprised at some of the results.  My rundown on how particular sites rate:

• Emergent Chaos, Adam et al http://www.emergentchaos.com/ Junior High School
• Shrdlu http://layer8.itsecuritygeek.com/ Junior High School
• Anton Chuvakin http://chuvakin.wordpress.com/ Junior High School
• Me http://www.guerilla-ciso.com/ High School
• Rich Mogull http://www.securosis.com/ High School
• Gunnar Peterson http://1raindrop.typepad.com/1_raindrop/ High School
• Alex Hutton http://www.riskanalys.is/ High School
• Mark Curphey http://www.securitybuddha.com/ College (undergrad)
• Chris Hoff http://rationalsecurity.typepad.com/ College (postgrad)
• Martin McKeay http://www.mckeay.net/ College (postgrad)
• Amrit Williams http://techbuddha.wordpress.com/ Genius!!

Now if I check out Amrit’s blog tomorrow and he’s got a genius sticker displayed prominently on his site, I’ll take the blame and rage from the blogosphere.  It’s only fitting.

To be honest, I’m surprised I didn’t come in at the preschool level, what with my lowbrow sense of humor and all.  =)

• It’s a Blogiversary
• In Which Our Protagonist Discovers We Need More Good Public Policy People Who Understand Security
• A Step Inside the Guerilla CISO’s Mind
• Workin’ for the ‘Counters: an Analysis of my Love-Hate Relationship with the CPAs
• Federal SSN Purge