A couple of weeks ago, Martin McKeay was in town and recorded an interview with me.  I wax poetically on my typical things–FISMA, risk assessment, anti-compliance.

The funny thing is, weeks later, I listened to myself and I actually sound like I know something…. Who woulda thunk it?  =)

• Security Assessments as Fraud, Waste, and Abuse
• No, FISMA Doesn’t Require That, Silly Product Pushers
• I’m on the OWASP Podcast
• How to Not Let FISMA Become a Paperwork Exercise
• On Why I Blog… FUD is the Reason for the Writin’

Dear <enter candidate’s name>,

Congratulations on your inauguration as the President of the United States. This is a huge accomplishment in your career.

I am writing this letter to tell you that you are inheriting a phenomenal opportunity to succeed where it comes to IT security in the Government. Your predecessors have buit a very viable framework for IT security in the US Federal Government. Arrayed around you are some of the brightest and the best people who have done extraordinary work in increasing the cyber security of the United States Government. The following people are included in their ranks:

• Ron Ross and Marianne Swanson and the rest of the staff in the NIST FISMA project who have labored long and hard to provide research, standards, and guidance not just to the Federal Government but to the nation and the rest of the world.
• Karen Evans and the rest of the staff at OMB who have set the policy that the executive branch has followed. They are not afraid to make decisions in the face of adversity.
• US-CERT and the Department of Homeland Security have made huge strides towards building a Government-wide monitoring system. Considering that they started “from scratch” 5 years ago, this is a non-trivial accomplishment.
• The people at DISA and NSA who have developed technical guidance before it was popular to do so–before FISMA, before PPD-63.

These and countless other people have “fought the good fight” in bringing IT security to the masses in such a scale that is unprecedented before in history.

But from where I, a humble servant of the public, stand, there are 2 things that you and your administration can do as a whole to increase our Government’s IT security.

#1 Please appoint an executive-branch Chief Information Officer (CIO) and a Chief Information Security Officer (CISO) with both the responsibility and the authority to secure the executive branch’s IT systems. The reason I ask for this is that the Federal Government’s IT infrastructure is a federation of individual business units that are managed separately for risk. At each level of Government, there is an IT manager and a security person to support them–all the way up the chain of command–except for at the top where there is a void wanting to be filled.

As has often been said, the answer to bureaucracy is not to throw more bureaucracy at it, and so creating new positions is not something to do lightly. What our nation needs is a pair of true technology managers at the executive branch level who can adequately manage risk instead of compliance.  This is a tremendous need for the executive branch: OMB is focused on compliance and fiscal responsibility and compliance, NIST is focused on research and developer outreach, US-CERT is focused on highly tactical IT security operations, and no one entity controls the strategic security direction of the nation.

#2 Please learn how to use the economic might of the Federal Government to allow the market to determine winners in the security space. What I mean by this is that the Government has for too long put up with inferior IT products and services because we do not present a unified front to the vendors.

Our Federal IT budget for this year is ~$75B and this is a huge force to bear on the market. This means that the Government is in a prime position to get whatever they ask for from the technology industry, all you have to do is use your fiscal power in a coordinated manner.

Once again, congratulations on the new job.

Cheers

–Rybolov

White House with a Tilt Shift by Michael Baird

• It’s a Problem of Scale!
• No, FISMA Doesn’t Require That, Silly Product Pushers
• William Jackson on FISMA: It Works, Maybe
• GAO’s 5 Steps to “Fix” FISMA
• Some Comments on SP 800-39

Maybe I’ve been working on slide decks for too long.  That’s why I haven’t been blogging much over the past week:  when you spend 8 hours a day revising and formatting slides, your brain turns to jello.

Then suddenly on Tuesday, it hit me:  the Government’s problem with security is one of scale.  And at this point you all go “Duh, where have you been for the past 200 years?”  And yes, it’s not a problem exclusive to security, it goes hand-in-hand with personnel management, financial management, $foo management, and $bar management

Large-Scale Scaley Carp Photo by radcarper

Now the scale in itself isn’t really the problem, it’s that we don’t have information security models that scale to that level.  And what I mean by that is that each agency is pretty much their own enterprise.  The entire executive branch is one huge federation of independent enterprises (and some of the enterprises are federated, but we’ll ignore that for the time being).  Most of our existing thoughts on information security management are focused on the enterprise, and the only hope to use them is to manage each enterprise separately.

Really, folks, we don’t have information security models that scale up as massively as we need to, and what we’ve been doing is borrowing from other fields, most notably Federal law and public accounting.  Unfortunately for us, these are models based on compliance, not risk management.  Even then, I don’t see the compliance angle going away anytime soon.

Now this is the really big problem:  everybody has some kind of criticism about how the Government runs their information security.  But I don’t see anybody with a viable alternative, nor do I expect to see one because the only people with problems on this scale are large governments.

• Now ISC2 Blogs have an Opinion on FISMA
• Federated Vulnerability Management
• An Open Letter to the Next President of the United States
• NIST’S FISMA Pase II–Who Certifies Those who Certify the Certifiers?
• Massively Scaled Security Solutions for Massively Scaled IT