Article from William Jackson in Government Computer News:  Security policies remain a burden to federal IT managers, but they are producing results.

First off, GCN, come into the modern Web 2.0 era by letting people comment on your articles or at least allow trackbacks.  Having said that, let’s look at some of Mr Jackson’s points:

• NIST Special Publications: They’re good.  They’re free.  The only problem is that they’re burying us in them.  And oh yeah, SP 800-53A is finally final.
• Security and Vendors/Contractors:  It’s much harder than you might think.  If there’s interest, I’ll put out some presentations on it in my “copious amounts of free time”.  In the meantime, check out what I’ve said so far about outsourcing.
• Documentation and Paperwork:  Sadly, this is a fact of life for the Government.  The primary problem is the layers of oversight that the system owner and ISSO have.  When you are as heavily audited as the executive branch is, you tend to avoid risks and overdocument.  My personal theory is that the reason is insistence on compliance instead of risk management.
• Revising FISMA:  I’ve said it time and time again, the law is good and doesn’t need to be changed, the execution is the part that needs work.

• An Open Letter to NIST About SP 800-30
• FISMA Report Card News, Formulas, and 3 Myths
• Ooh, “The Word” is out on S 3474
• How to Not Let FISMA Become a Paperwork Exercise
• A Funny Thing Happened Last Week on Capital Hill

Dear NIST People,

I have this semi-random digital scribbling thingie called a blog.  You might have heard of them.  Hey, you might have even at one point heard of mine.  =)

On my blog I let it be known that I am what the rest of the world would call a “NIST Cheerleader”.  I watch your every move.  I comment on your new publications.  I teach your framework every quarter.  From time to time, I criticize, but only because I have a foot in the theory of information security that you live and a foot in the implementation with agencies who know where the theory and models break.

The best thing that you have given us is not the risk management framework, it was SP 800-30, “Risk Management Guide for Information Systems”.  It’s small, to-the-point, and scalable from a single server to an entire IT enterprise.  Sure, the quants hate it, but for the quals and Government, it’s good enough.  I know private-sector organizations that use it.  One of my friends and blog readers/commenters was the guy who taught a group of people how to do risk assessment, then these same people went on to help you write the book.

I heard that you were in the process of revising SP 800-30.  While this is much needed to catch up/modernize, I want to make sure that 800-30 does not follow the “live by the catalog, die by the catalog” path that we seem to be following lately.  In other words, please don’t change risk assessment process to the following:

1. Determine boundary
2. Determine criticality
3. Conduct a gap assessment against a catalog of controls (SP 800-53/800-53A)
4. Attach a priority to mitigation
5. Perform risk avoidance because compliance models are yes/no frameworks
6. Document
7. ???
8. Profit!

At Your Own Risk Photo by  Mykl Roventine.

The reason that I am writing this is to let you know that I have noticed a disturbing trend in how now that we have a catalog of controls, the risk management framework is focusing more and more heavily on the catalog as the vehicle for determine an adequate level of security.  Some of this is good, some of this is not.

Why am I so concerned about this?  Well, inside the Government we have 2 conflicting ideas on information security:  compliance v/s risk management.  While we are fairly decent Government-wide at compliance management, the problem that we have is in risk management because risk management is only as good as the people who perform the risk assessment.  Not that we don’t have competent people, but the unknowns are what will make or break your security program, and the only way that you can known the unknowns is to get multiple assessments aimed at risks outside of the control catalog.

However, if you change the risk assessment process to a “catalog of controls gap analysis” process, then we’ve completely lost risk management in favor of compliance management.  To me, this is a disturbing trend that needs to be stopped.

Thank you for your time

–Rybolov

• Observations on SP 800-37R1
• Workin’ for the ‘Counters: an Analysis of my Love-Hate Relationship with the CPAs
• Reinventing FedRAMP
• It’s a Problem of Scale!
• Now ISC2 Blogs have an Opinion on FISMA

Ever watch a marathon on TV?  There’s the usual formula for how we lay out the day:

• History of the marathon and Pheidippides
• Discussion of the race length and how it was changes so that the Queen could watch the finish
• World records and what our chances are for making one today
• Graphics of the race course showing the key hills and the “sprint to the finish”
• Talk about the womens’ marathon including Joan Benoit and Kathrine Switzer
• Description of energy depletion and “The Wall”
• Stats as the leaders hit the finsh line
• Shots of “back-of-the-pack” runners and the race against yourself

Well, I now present to you the formula for FISMA Report Cards:

• Paragraph about how agencies are failing to secure their data, the report card says so
• History and trending of the report card
• Discussion on changing FISMA
• Quote from Karen Evans
• Quote from Alan Paller about how FISMA is a failure and checklist-driven security
• Wondering when the government will get their act together

Have a read of Dancho’s response to the FISMA Report Card.  Pretty typical writing formula that you’ll see from journalists.  I won’t even comment on the “FISMA compliance” title.  Oh wait, I just did.  =)

Some myths about FISMA in particular that I need to dispell right now:

1. FISMA is a report card:  It’s a law, the grades are just an awareness campaign.  In fact, the whole series of NIST Special Publications are just implementation techniques–they are guidance after all.  Usually the media and bloggers talk about what FISMA measures and um, well, it doesn’t measure anything, it just requires that agencies have security programs based on a short list of criteria such as security planning, contingency planning, and security testing.  It just goes back to the adage that nobody really knows what FISMA is.
2. FISMA needs to be changed:  As a law, FISMA is exactly where it needs to be.  Yes, Congress does have talks about modifying FISMA, but not much has come of it because what they eventually discover after much debate and sword-waving is that FISMA is the way to write the law about security, the problem is with the execution at all levels–OMB, GAO, and the agencies–and typically across organizational boundaries and competing master agendas.
3. There is a viable alternative framework:  Dancho points out this framework in his post which is really an auditors’ plugin to the existing NIST Framework for FISMA.  Thing is, nobody has a viable alternative framework because it’s still going to be the same people with the same training executing in the same environment.

Urban Cell-Phone Fire Myth photo by richardmasoner.  This myth is dispelled at snopes.com.

Way back last year I wrote a blog post about indicator species and how we’re expecting the metrics to go up based on our continual measuring of them.  Every couple of months I go back and review it to see if it’s still relevant.  And the answer this week is “yes”.

Now I’ve been thinking and talking probably too much about FISMA and the grades over the past couple of years, so occassionally I come to conclusions .  According to Mr Vlad the Impaler, the report card is a bad idea, but I’m slowly beginning to see the wisdom of it:  it’s an opportunity to have a debate and to raise some awareness of Government security outside of those of us who do it.  The only other time that we have a public debate about security is after a serious data breach, and that’s not a happy time.

I just wish the media would stop with the story line that FISMA is failing because the grades provide recursive evidence of it.

• FISMA Report Cards Issued–Response is Rote by Now
• GAO’s 5 Steps to “Fix” FISMA
• A Funny Thing Happened Last Week on Capital Hill
• Random Thoughts on “The FISMA Challenge” in eHealthcare
• When the Feds Come Calling

I have a very disturbing trend with comments to my blog:  I don’t get any comments on the serious stories–only the “fun” posts.

This leads me to believe one of the following is at play:

• I write succinctly and with authority and never make mistakes. (at least it helps to hope…)
• Nobody knows the subjects that I talk about because it’s a niche to a niche.
• I don’t sensationalize the news enough to make people want to comment.  Note that this is a radical departure from the mainstream media when it comes to security and government, where FUD-mongering is the norm.
• People are scared of me because they think I’m intellectually and emotionally unstable and that I’m going to trash them if they comment.  =)
• Government employees are afraid to put anything critical of their leadership in writing.
• Like they say about the classified world, “Those who know don’t talk, those who talk don’t know”. (side note:  what am I saying about myself here?)
• The First Rule of FISMA Club is that YOU DO NOT TALK ABOUT FISMA CLUB!!!111oneoneone
• If it’s your first comment, you have to fight.

Blog Explanation in French by Stephanie Booth

Now the problem for me is that in order to make security in the government work, we need to change the culture of the people doing it.  IT and specifically security require a zero-defects approach, and this is counter to survivability in a political environment.  The only way we can do that is if I’m not the only voice preaching in the wilderness–I really do want people to tell me I’m full of it and give a good rationale.  =)

In the spirit of helping, this is the Guerilla’s Guide to Commenting on http://www.guerilla-ciso.com/

• Everything in Moderation:  No big surprise–I moderate comments.  This is pretty much so I can keep the spam out.  I’ve only had one legitimate post that I deleted because it was personal in nature from a person who knew me in “a past life”.
• Email is Semi-Anonymous:  If you post a comment using a bogus email address, I’m happy with it as long as the content is relevant and doesn’t look like spam.  The email address is really only so wordpress can track you and automagically approve your next post as long as the name and email match up.
• Thou Shalt Remember the Chatham House Rule:  I do not repeat anything that was told to me in confidence.  Neither should you.  Yes, there are things I won’t write on here, like the conversation I had with [censored] from [censored] who confirmed that [censored]-[censored] is not yet final because [censored].
• I’m Neither a Crook Nor a Cop:  I have yet to receive any kind of subpoena asking for subscriber or commenter information, nor do I send you stupid spam jokes because I know who you are.

I’ll end with one of my favorite army jokes:  “What’s the difference between a war story and a fairy tale?  A fairy tale begins with ‘Once upon a time’, war stories begin with ‘No sh*t, there I was'”.

• On Government Employees, Culture, and Survivability
• The Press has Me all Confused
• My Blog is Dead, Long Live My Blog!
• On Why I Blog… FUD is the Reason for the Writin’
• A Funny Thing Happened Last Week on Capital Hill