You might be asking how IKANHAZFIZMA keeps bringing you lolcats week after week.  We have an answer: redundancy!

• Lolcats and QR Codes
• Lolcats, Capital Hill, and a Haiku
• IKANHAZFIZMA and Transparency
• Lolcats Protect the End Users
• Bolt-On Security

While you were looking the other way, OMB released their Fiscal Year 2008 Report to Congress on Implementation of The Federal Information Security Management Act of 2002.  Mostly it’s just the verbatim responses from the agencies and a rollup of the numbers with scarcely any analysis.

It’s interesting to contrast this with last year’s report which had a huge chunk of analysis.  In my cynical hours, I like to mentally replace “analysis” with “spin”, but not today.  =)

Another interesting thing is that since they published the actual responses, you can get some analysis like Angela Gunn of BetaNews provides.

My opinion: metrics are good, raw data is better.

Government transparency in action?  Maybe.  New staffers at OMB? Also likely.

Another interesting and related article is this one from Federal Computer News on Government security metrics. Yes, they need to be reconsidered, but for the most part the existing metrics are aimed at the major provisions of FISMA the LAW which is very high-level and very management-centric.  But hey, that’s what the law is supposed to provide, but more on that later.

• FISMA Report Cards Issued–Response is Rote by Now
• Next Up in Security Legislation: S3474
• GAO’s 5 Steps to “Fix” FISMA
• OMB Wants a Direct Report
• FISMA Report Card News, Formulas, and 3 Myths

Security controls for cats:  Keep them out of bright light, keep them dry, and whatever you do, don’t feed them after midnight. kthnx bai.

• Yet More Security Controls You Won’t See in SP 800-53
• LOLCATS: Defending our Cyber-Turf
• Aurora and LOLCATS
• Cyber-FEMA LOLCATS Prepare for Cyber-Katrina
• LOLCATS Take on Catalog of Controls

As featured on twitter.  Shrdlu was looking for a poster for some contest and I couldn’t resist. Yes I’m violating my own groove by posting 2 lolcats in a row, but since “the cat was out of the bag” already thanks to twitter, I thought I would share with our non-twit readers.

• IKANHAZFIZMA is on Vacation
• Conflicker ala IKANHAZFIZMA
• Lolcats and QR Codes
• Lolcats take on Laws, Sausage, Cyberwhatzits, and PCI
• Preparing for Cybergeddon

CAG Fever… we haz it here at Guerilla-CISO.  So far the konsensus is that CAG works well as a “Best Practices” document but not really as an auditable standard.  We’re thinking that CAG will provide the rope with which our IGs and GAO will hang us.

• CIO Council Guidelines on Social Media Meet IKANHAZFIZMA
• LOLCATS Take on MS08-67
• Shmoocon: Less Moose, More LOLCATS
• Guerilla CISO Goes Back to Work
• IKANHAZFIZMA Finds Caution Tape

Did you know that the US Department of Defense published the Consensus Audit Guidelines?  Yes, it’s true!  At least according to a ZDNet UK article title, “US Dept of Defense lists top 20 security controls“.

There is a haze of confusion settling around the Consensus Audit Guidelines origins.  The text of the CAG press release (pdf) is clear that it is developed by a consortium of federal agencies and private organizations.  It further states CAG is part of the Center for Strategic and International Studies work on CSIS Commission report on Cybersecurity for the 44th Presidency.  The title of the CAG press release is also equally clear that it is from a “Consortium of US Federal Cybersecurity Experts” which is substantively different than a consortium of federal agencies and private organizations.

The press release relates that CAG was initiated when a team discovered similarities between massive data losses by the US defense industrial base (DIB) and attacks on Federal agencies.  The project then grew as more agencies agreed to become involved.  Following the current public review of CAG the next steps for development are listed as pilot implementations at government agencies, a CIO Council review and an IG review. The clear inference of this origin story and ennumeration of steps is that the project has official Federal backing.

Let’s test that inference.  Click here for a Google search of the entire *.gov hierarchy for “Consensus Audit Guidelines”.  As I write this there is exactly one entry.  From oregon.gov.  A search using usa.gov (which uses live.com) has the same results.  Looking around the various organizations listed as contributors doesn’t yield any official announcements.

So why the confusion in the press?  Why does it appear from the news articles that this is an Federal project?  I wouldn’t speculate.

On a slightly different topic, I’ve been reading through the Consensus Audit Guidelines themselves and enjoying the guidance it provides.  I’ll write up a more complete analysis of it once I have finished my read through.  My initial impression is that CAG controls provide worthwhile recommendations but the framework for implementation needs development.

All Aboard the Astroturfmobile photo by andydr.  Perhaps an explanation is in order….

• The 10 CAG-egorically Wrong Ways to Introduce Standards
• In Response to “Cyber Security Coming to a Boil” Comments….
• “Machines Don’t Cause Risk, People Do!”
• 20 Critical Security Controls: Control-by-Control
• Keeping The Lights On: Cybersecurity Law for the Electric Grid