The fun part of this time of the year:  the FISMA Report Armchair Quarterbacks.  Hey, even I fit in there somewhere because right now I’m nowhere near being in a decision-making role for the Government.

Well, today it’s the ISC2 blog talking about FISMA.

So why is it that nobody addresses the huge pink and chartreuse elephant in the room?  The problem is not the metrics, as flawed as they might be.  The problem is not identifying a security baseline, even though that makes sense to have.  The problem is not demonstrating Return on Security Investment (as flawed as  the concept is, and no, I don’t want to debate whether it’s a valid concept, even though we all know it’s not) even though good CISOs try to do that as internal marketing to their management.

This is the primary problem for the Government when it comes to security:  due to the scale of the Federal Government, we do not have enough skilled security people to go around.  Almost all of our governance models are designed around this flaw:

• Catalog of controls to standardize
• Checklists so that less-skilled assessors can
• Varying degrees of automation
• Prioritization of security practitioners’ time

This is why I’m adding “Fast Food Franchises” to the list of models that large-scale security can draw from.  =)  More to come on this topic once I sort out the ideas.

McDonald’s Checklist photo by myuibe

• FISMA Report Card News, Formulas, and 3 Myths
• It’s a Problem of Scale!
• Workin’ for the ‘Counters: an Analysis of my Love-Hate Relationship with the CPAs
• An Open Letter to NIST About SP 800-30
• William Jackson on FISMA: It Works, Maybe

Ever watch a marathon on TV?  There’s the usual formula for how we lay out the day:

• History of the marathon and Pheidippides
• Discussion of the race length and how it was changes so that the Queen could watch the finish
• World records and what our chances are for making one today
• Graphics of the race course showing the key hills and the “sprint to the finish”
• Talk about the womens’ marathon including Joan Benoit and Kathrine Switzer
• Description of energy depletion and “The Wall”
• Stats as the leaders hit the finsh line
• Shots of “back-of-the-pack” runners and the race against yourself

Well, I now present to you the formula for FISMA Report Cards:

• Paragraph about how agencies are failing to secure their data, the report card says so
• History and trending of the report card
• Discussion on changing FISMA
• Quote from Karen Evans
• Quote from Alan Paller about how FISMA is a failure and checklist-driven security
• Wondering when the government will get their act together

Have a read of Dancho’s response to the FISMA Report Card.  Pretty typical writing formula that you’ll see from journalists.  I won’t even comment on the “FISMA compliance” title.  Oh wait, I just did.  =)

Some myths about FISMA in particular that I need to dispell right now:

1. FISMA is a report card:  It’s a law, the grades are just an awareness campaign.  In fact, the whole series of NIST Special Publications are just implementation techniques–they are guidance after all.  Usually the media and bloggers talk about what FISMA measures and um, well, it doesn’t measure anything, it just requires that agencies have security programs based on a short list of criteria such as security planning, contingency planning, and security testing.  It just goes back to the adage that nobody really knows what FISMA is.
2. FISMA needs to be changed:  As a law, FISMA is exactly where it needs to be.  Yes, Congress does have talks about modifying FISMA, but not much has come of it because what they eventually discover after much debate and sword-waving is that FISMA is the way to write the law about security, the problem is with the execution at all levels–OMB, GAO, and the agencies–and typically across organizational boundaries and competing master agendas.
3. There is a viable alternative framework:  Dancho points out this framework in his post which is really an auditors’ plugin to the existing NIST Framework for FISMA.  Thing is, nobody has a viable alternative framework because it’s still going to be the same people with the same training executing in the same environment.

Urban Cell-Phone Fire Myth photo by richardmasoner.  This myth is dispelled at snopes.com.

Way back last year I wrote a blog post about indicator species and how we’re expecting the metrics to go up based on our continual measuring of them.  Every couple of months I go back and review it to see if it’s still relevant.  And the answer this week is “yes”.

Now I’ve been thinking and talking probably too much about FISMA and the grades over the past couple of years, so occassionally I come to conclusions .  According to Mr Vlad the Impaler, the report card is a bad idea, but I’m slowly beginning to see the wisdom of it:  it’s an opportunity to have a debate and to raise some awareness of Government security outside of those of us who do it.  The only other time that we have a public debate about security is after a serious data breach, and that’s not a happy time.

I just wish the media would stop with the story line that FISMA is failing because the grades provide recursive evidence of it.

• FISMA Report Cards Issued–Response is Rote by Now
• GAO’s 5 Steps to “Fix” FISMA
• A Funny Thing Happened Last Week on Capital Hill
• Random Thoughts on “The FISMA Challenge” in eHealthcare
• When the Feds Come Calling

Yay, FISMA report card for 2007 has been issued.  You can go check it out here.  I can’t believe it, but DHS scored a “B” against all odds. =)

And of course, by now the response to the report card is all rote–everybody wonders what the letters really mean:

• SC Magazine
• IDG
• IT Business Edge
• Federal Times
• Washington Post
• Security Focus

Yeah, yeah, I guess it just goes to prove what we say about the classified world: the people who know don’t talk and the people who talk don’t know.  In this case, everybody attacks the metric because, well, it’s a bad metric–what action are we supposed to take because of what the results are?  It’s also pretty much ignored by this point anyway except for the witty sound bites from some of my “favorite people”, so it’s nothing to get all hot and bothered about.  The GAO and OMB reports that I’ve covered in much detail are much better and have a pretty decent level of analysis.

But fer chrissakes, the report card is issued by Congress, how much detail do you think it will ever contain?  =)

My rapidly expanding queue of pet peeves about this time of the year:

• People who think that FISMA is just a report card and that we should re-examine how we measure security:  the grades are not even required by the law, it’s just technique and we can change that easily enough.
• People who criticize but do not offer an alternative:  even if you had an alternative plan, the environment for execution still involves the same IT assets and the same front-line employees.
• People who don’t understand enterprise-wide security much less a federation of semi-independent enterprises: it’s the nature of government-wide security metrics that they’ll be indicators which can be faked.
• Sound bites from people who have never implemented any aspect of FISMA:  come on, SANS and Gartner?  GAO and the Cyber Security Industry Alliance are a little bit better but taken out of context.
• Nobody ever asks me for a quote on FISMA numminess:  I’ll be pouting for the rest of the week, TYVM.  =)

Not that I’m the world’s best expert at fact-checking, but something caught my eye in the report:  it’s issued by Tom Davis and the url is from the Minority Office for the House Committee on Oversight and Government Reform.  Tom Davis is the representative from Northern Virginia and is the sponsor for FISMA back when it was signed.  Until the last election, he was the chairman of the House Committee on Oversight and Government Reform.  The committee is now chaired by Henry Waxman. 

Time for a new concept in your vocabulary:  LGOPP (OK, actually it’s LGOP, but I added an extra “P” for comedy purposes).  Imagine June 6th, 1944, paratroopers scattered all over the French countryside.  What happens is you pick up the people around you, the senior person becomes the leader, and you carry out the mission.

Photo of Paratrooper Stained Glass in Sainte Mère Église by Nelson Minar

Hence the true meaning of LGOPP: Little Groups of P*ssed-off Paratroopers.  An equivalent phrase is “isolated pockets of brilliance”.

In the words of somebody I went off to war with:  “LGOPPS are the spirit of the infantry:  a handfull of 18- and 19-year-olds with fully automatic weapons who can barely remember what their mission is running around the woods raising hell”.

Now, I know you guys, you’re wondering what this has to do with security?  Well, this is relevant because it’s an election year.  What that means is that instead of being bothered with all this security stuff, Congress is involved in playing “gotcha” with the Executive branch.  After the election, it’s rearranging deck chairs on the Titanic and all of the leadership will change.

Instead of any national-level security agendas and strategizing, we’ll have to be content with security LGOPPs fighting the fight wherever they end up gaining enough critical mass.

And in the case of this year’s FISMA report card, the LGOPP that is Tom Davis’s staffers issued the report while the rest of the committee was busy worrying about elections.

• FISMA Report Card News, Formulas, and 3 Myths
• GAO’s 5 Steps to “Fix” FISMA
• HR 5983–DHS Now Responsible for Contractor Security
• A Funny Thing Happened Last Week on Capital Hill
• FISMA: Better if PCI. WTF?

I remember it like it was March:  Georgia voluntarily adopted FISMA-esque metrics.  I just found the policy statement for what they’re collecting in 2008.  On a side note, all of Georgia’s security policies feature concepts borrowed from NIST, something I like.

Let’s talk about the scope creep of Government security, shall we?  Fact of the matter is, it’s going to happen, and you’ll get eventually get caught up in FISMA if you’re one of the following:

• State and local government
• Government contractor
• Telco
• Government service provider
• COTS software vendor
• Utilities who own “Critical Infrastructure”

Why do I say this?  Mainly because just like how the DoD is discovering that it can’t do its InfoSec job without bringing the civilian agencies along due to connectivity and data-sharing issues, the Federal Government is coming to the point where it can’t secure its data without involving these outside entities.  Some are providers, but the interesting ones are “business partners”–the people that share data with the Government.

State and local government are the ones to watch for this pending scope creep.  The Federal Government works on the premise that the responsibility to protect data follows wherever the data goes–not a bad idea, IMO.  If they transfer data to the states, the states need to inherit the security responsibility and appropriate security controls along with it.

Now if I’m a contractor and exchange data with the Government, this is an easy fix:  they don’t pay me if I don’t play along with their security requirements.  When a new requirement comes along, usually we can haggle over it and both sides will absorb a portion of the cost.  While this might be true for some state programs, it becomes a problem when there is no money changing hands and the Federal Government wants to levy its security policies, standards, etc on the states.  Then it becomes a revolt against an unfunded mandate like RealID.

There are some indicators of Federal Government scope creep in the Georgia policy.  This one’s my favorite:

The performance metrics will also enhance the ability of agencies to respond to a variety of federal government mandates and initiatives, including the Federal Information Security Management Act (FISMA).

Georgia on my Mind by SewPixie.

• When the Feds Come Calling
• Georgia Modifies and Adopts FISMA Framework
• Why You Should Care About Security and the Government
• Random Thoughts on “The FISMA Challenge” in eHealthcare
• How to Not Let FISMA Become a Paperwork Exercise

CAVEAT:  This document is dangerous!  See this post before you go any further.  You have been warned!

It stands to reason that one of my recurring search strings in my blog stats is people looking for a copy of NIST SP 800-26.  I even have commenters looking for it.  We like commenters enough to give them what they want, don’t we?

So I thought long and hard until my thinker was sore, asked some friends, and puzzled a bit more about why people would be so interested in a document that is, like Latin, dead.

My resident curmudgeon (yes, even a BSOFH needs a role model from time to time), Vlad the Impaler, offered up the suggestion:  That state and local governments need it because they’re usually 5-10 years behind the Federal Government.  Even then, I don’t get it, and with a shrug, I’ll leave it at that.

Anyway, I’ve uploaded the most recent version here (foo.pdf caveat applies).  I got the file in an email from Vlad, so he’s the one you should really thank.  In the spirit of complete irony, this file could become the #1 download for me. =)

CAVEAT:  This document is dangerous!  See this post before you go any further.  You have been warned!

• An Open Letter to NIST About SP 800-30
• SP 800-53A Now Finally Final
• Old Saint NIST: Ho Ho Hold on, what’s this?
• Why You Should Care About Security and the Government
• Some Comments on SP 800-39

Rmogull of Securosis and Gunnar Peterson claim that GRC is dead.  In my typical global-brained style, I want to cut to the root cause of why GRC is stillborn.

As a group, we need to come to the concensus that half of the security industry is a bunch of spam-sending FUD-mongering dotcom dropouts with MBAs who see the “perfect storm” of money and opportunity that an uncertain-but-necessary niche market brings.  Furthermore, I say we distance ourselves from them because they make the rest of us look bad.

Failed parking meter by cgansen. 

These are the same people who pitched technical policy compliance solutions for SOX which became continuous compliance which begat risk management which begat GRC.  Do we really need all this cr*p?

Look at the warning signs of this half of the industry, these were so true for the dotcom era:

• New companies qnd products you’ve never heard of
• Staff nobody’s ever heard of
• “Trendy” product class that everybody wants to do this year
• Claim to have product purchased by a “Major Financial Institution”
• Is a rebranding of a previously-failing product
• Company was not security-focused last year
• Company and product life-span of ~2 years
• No alignment with other vendors or industry leaders
• Technology is “hoaky”–SIEM solutions using MS Access as the back-end
• Feels “gimmicky”

If you see any of these in a perspective vendor, run away now!  And if you do buy, don’t say I didn’t warn you.

Now, in a past life, SSG Rybolov would say something witty like how people who are used to preventing and detecting fraud should be able to come up with a model to keep people from invading the industry looking for the filthy lucre.  In fact, I think I just might have.  =)

The other half of you all, the non-snake-oil-selling half, is great, keep up the good work and never, ever go to the dark side.

• How to Not Let FISMA Become a Paperwork Exercise
• Engagement Economics and Security Assessments
• An Open Letter to the Next President of the United States
• When the News Breaks, We Fix it…
• “Machines Don’t Cause Risk, People Do!”