Wednesday, August 8, 2007

The GAO Report

I have read the GAO report (pdf). Really my only comment is “DUH!”. Tell us something we don’t know. But it may be shocking to Congress.

The report basically recaps all the deficiencies that I already knew, and some that I didn’t know. Like the IRS, they apparently have huge deficiencies, despite the SCSEM that I ran up against a number of years ago. Which was a decent policy, their issue (as with most) is implementation.

So, if you are having issues getting your policy in line. I heard the SecurityExpressions can do an “Audit on Network Discovery”, or something like that. Unless you get all OKs on your policy check when you attach your laptop to the network, you don’t get network access. Maybe it was just a beta thing that the Sales guy said was on the horizon, but it would be cool if you could do it.

Imagine that only certain MAC Address are allowed to connect and those MACs must be compliant with the system policy!

The report also calls out Inventory and Configuration management, which falls in with what I have already said above. If you know what machines are allowed to connect to the system and the configuration is enforced or the machine is denied access – then the ISSM will know exactly what is going on.

GAO also says that the Inspector Generals are not enforcing a common testing criterion. Well. What do they want? The 800-53a is in third public draft, and given the size of some of these agencies, and the money given to the IG for independent review – how is an IG to get through it all.

It is worrisome for me that the GAO put this report together the way they did. Not that it should really changed anything. I would worry that Congress would put their considerably sized nose in the middle of NIST’s and OMB’s business.

Congress and GAO shouldn’t be expecting miracles and they can’t compare FISMA to SOX, GLBA and HIPAA. Those are laws for the public and there are real penalties for non-compliance. I have yet to see a CIO go down for not keeping a major system inventory or for accepting a risk that could have been mitigated.

Call me an optimist, but every time a report comes out or there is a new public draft. I think “Oh goody, now we are getting somewhere”. Perhaps the 53A will help somewhat, maybe after the SCAP conference in September some new tools will come out.

But this is not that.