Monday, June 4, 2007

800-53A Third Public Draft

I briefly looked at the third public draft of the 800-53A. For anyone who knows me, I told you so. You will notice that the catalog is completely different from the second public draft.

Let me begin with my initial problem with using draft documents. First, the second public draft did not cover all the controls for revision 0 or revision 1 of the 800-53. So here we are with procedures gaps, which led to organizations writing their own procedures which are not consistent or do not cover all the controls in the baseline.

Second, the format. Take the differences between these two. By show of hands, let me know who is adopted on the old format and now will have to start over or make significant changes to their documents.

Finally, final is final and draft is draft. Anyone who has been paid based on final delivery of his or her documents knows that. Draft, to me, means that it is apt to change. I would have preferred that we all had reviewed it and sent in our comments rather than have been forced to use it and now needing to start over.

I do not blame the certifiers (for the most part). I know that the government entities are requiring that you use it. However, there are some of you out there that use it so that you did not have to do “old school” procedures. You can call it procedures because it came from NIST. That is not what the document is intended to be. The intent, as I read it, is for the document to be used as a starting point for developing procedures. A procedure is not a narrative; a procedure is a list of steps performed that either pass or fail.

In addition, they are going to tie the 53A procedure description to the SCAP checklists, which removes some of the work for technical analysis. I am not against this since it will remove confusion and work from technical portion of an assessment.

I am not against helping entities get through the process. I am against dumbing down the process to the point where it can no longer be more than a “check box” exercise. Value can be gained from a certification, and when done correctly it helps manage enterprise risk.