FISMA Report Card

I know that I am late on this one, but I have been busy. Just for a brief moment let's consider the point of these report cards and from where they come.

My personal feeling is that the report card means nothing and says even less. They apply an arbitrary metric to an ambiguous reporting mechanism. Any agency could have the best, most secure systems. If they don't report on it correctly, they can still fail. This also means that if the people performing the reporting are not trained correctly they can fail. Lastly, those who know how to report can pass without necessarily having secure systems.

Someone told me recently that the intent of this is to: a) make Congress feel good about doing something productive and b) inspire agency competition for success.

Sorry I am so negative on this, but again there is an "end of project requirements mismatch discovery". OMB, NIST and others recognize that good information systems security comes from well written policy and superior risk management. When others will tell try to sell IDPS, firewalls and log management platforms as solutions to your FISMA problems.

This report card reinforces an over simplified view of how easy/hard it is to secure an enterprise.

A New Draft of the Same Thing with Thoughts on Outsourcing

The 800-123 Guide to General Server Security came out this week, and really who needed this. I am sure this would have been helpful in 1995, when people had just started putting servers on the Internet. But who is seriously going to sit down with this and say "I hadn't thought of that!"

What I think we need now in the age of government *sourcing is some NIST guidance around Cloud, Managed and Virtualized systems.

My personal belief is that vendors are trying to get management/operation of government systems out of the government's hands so that there isn't as much bureaucracy.

Here is the thing, it is still the government's data. The system still must be certified.

To the Honorable Karen Evans: Please issue a memo stating unequivocally that: outsourced, managed, clouded virtualized, SaaS, shared whatevers need controls implemented to the same level that they would be if the government had built it themselves.

Quoteth the FISMA 3544(a)(1):

"(A) providing information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of—
"(i) information collected or maintained by or on behalf of the agency; and
"(ii) information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency;

So for those of you out there who keep saying "Chris, it isn't in the agency's physical boundary". Stop it. You know who you are.

More on this later (I keep saying this, but will it ever happen?).

800-39

I really don't have anything I want to address today, just a note to let you know I am alive. I have been mucho grande busy on a project for work and I am helping to redefine the process at work under my "Improve Your Process" mantra.

I will say this, I had committed to posting my review/comments of the 800-39. The reason why I am not is that I don't really have any. I don't really see the purpose of the document. It is high level, and only really says: do what the 800-37 tells you and conduct 800-30 style assessments in detail and often. So if you are brand new and require an overview, perhaps this will help. Sorry I couldn't be more help.

There is supposed to be a new 800-30 on the horizon that should match better to the 800-39. We'll see.

Update: I looked at the Second Public Draft of 800-39 with much the same feelings.