Tuesday, July 8, 2008

FISMA Phase 2

This guy got me thinking on this Phase 2 idea:


The certifiers are supposed to be getting certified themselves. But really, what is the point. With SCAP and FDCC coming down, and no one really giving a shit about there management and operational controls (my experience, yours may be different), why bother.

Stay with me here. Everything is going to be canned, OMB is going to want things in XML or in a specific template. The policies (FDCC and more to come) are going to be government wide. The documentation in a template (ok that's good) and interviews that reveal no detail. Physical security walkthrough, I'll inherit that one.

This program to accredit the certifiers = good idea. Execution = not so much.

Now for some prognostication:
  • Who is making sure that the accrediters are certifying properly? NIST? OMB? Individual IGs? This is unclear.
  • Implementing a FIPS or OMB memo requiring the use of Certified Certifiers. Unlikely. But in case they do, how many are there going to be?
  • Is the certification by company or by person? If they have a CAP or CISA certification will they be grandfathered?
  • What kind of reporting will be required of the certifiers to the government to be on the hook for their methods?
  • How many are there going to be?
With such a small market of people even offering this type of service, to throw in this extra complexity is ... admirable. From a supply side this is good. Everything is canned, all you have to do is run through the course and then you are firm fixed pricing it all the way to the bank.

But really, how does this help the government manage its risk better? I don't think it does.

I would like to hear some creative ways that the certifiers could be trained / certified to perform these audit functions. But in such a way that is fair to the government AND the auditor. Or to continue this idea that maybe it isn't necessary at all, and that there should be more policy and leadership from the top.

No comments: