Friday, August 8, 2008

More Commentary from the Unknowing

I am not certain what the point of this article started out as:

But I am fairly certain that someone said, "Go write something about FISMA." For me, it is additional aggravation. Why? Let me tell you.

They ask the same people the same questions every time expecting a different result. Albert Einstein said it best.

FISMA is a paperwork drill at a minimum, when properly applied it can actually benefit the organization. Like most things you reap what you sow. If you believe it is a paperwork drill, then that is what you get. If you believe that value can be driven by:
  • requiring a set of controls be implemented;
  • testing against that set of controls;
  • identifying risks based on a control's lack of implementation;
  • strengthen the controls now that you know the risks;
  • tracking residual risks throughout the life cycle of the system.

Then, you perhaps may see some return.

My opinion is that those who think that a paperwork drill is sufficient should consider changing their tune, because it won't be long before someone expects a real risk management.

Think 800-60 is to FIPS 199 and 800-53 is to FIPS 200 as 800-39 is to ...?


Thurman said...

I lived FISMA as a Federal CISO. The problem with FISMA -- and the reason it's being replaced with new legislation this year -- is that the idiots in OMB who couldn't spell security if you gave them the first seven letters decided that measures of performance instead of measures of effectiveness would be sufficient. Thus, if you run 100% of your agency's workforce through security awareness training in a year, you get a green in that category. But measuring the quality, content or effectiveness of that training is never done. And that's only one example of the flawed process.

No ifs, ands or buts, the Federal computing enterprise is owned by foreign, hostile intelligence services, and FISMA has done almost nothing to prevent it. You can argue that FISMA has squandered precious resources for silly scorecards and actually prevented resources from being spent on real security.

Chris said...

So what hope to we have if the same people are in charge at OMB?

They can misinterpret the intent just as well with the new legislation.

DanPhilpott said...

That article was a the most biased and inaccurate bit of dross ever penned on the topic of FISMA. The opening and closing statements in the article were given to a marketing guy for a company that competes for Federal security dollars with FISMA compliance. It states FDCC is a USAF program. It says FISMA is heading towards DoD compliance while skipping over the fact that DITSCAP was ditched in favor of the more FISMA guidance-like DIACAP (and that further developments are heading toward a combined standard based on NIST's FISMA guidance).

What really gets my goat is that when I commented on it at the SC Magazine site the comments just disappeared. Nice.

Karen Evans is supposed to be leaving OMB after the transition so there should be some changes there. I wouldn't blame OMB too much, they also pushed the TIC and FDCC initiatives which are very good operational security initiatives, if overzealous in their implementation.

Therese said...

This is great!