tag:blogger.com,1999:blog-6141228044791599805.post4956937474058276497..comments2023-07-27T10:50:16.609-04:00Comments on How is that Assurance Evidence?: A New Draft of the Same Thing with Thoughts on OutsourcingChrishttp://www.blogger.com/profile/03271557297047783414noreply@blogger.comBlogger2125tag:blogger.com,1999:blog-6141228044791599805.post-85163537093304433932008-05-22T08:06:00.000-04:002008-05-22T08:06:00.000-04:00It doesn't mean that the government loses its econ...It doesn't mean that the government loses its economies of scale. It just means that the shared platforms they build need to be apply controls. <BR/><BR/>It is a common misconception that the government's data and commercial data can't be on the same system. But the government's data must be protected. If that contractor can provide that assurance, then there is no problem. Just an Interconnection Agreement and/or Memorandum of Understanding.<BR/><BR/>It may mean that some companies would build government-specific and commercial-specific systems. But that may not be to the company's benefit, they could one set of documentation for FISMA and another for ISO 27001 on the same system.<BR/><BR/>FISMA and the Risk Acceptance Process is inherently flawed in favor of mission success, but still I think that the service provider can derive value from system certification. Just doing it better and planning it out.Chrishttps://www.blogger.com/profile/03271557297047783414noreply@blogger.comtag:blogger.com,1999:blog-6141228044791599805.post-74412141752480576972008-05-19T11:43:00.000-04:002008-05-19T11:43:00.000-04:00"To the Honorable Karen Evans: Please issue a memo...<I>"To the Honorable Karen Evans: Please issue a memo stating unequivocally that: outsourced, managed, clouded virtualized, SaaS, shared whatevers need controls implemented to the same level that they would be if the government had built it themselves."</I><BR/><BR/>Ack, please no. A blanket statement like what you're asking for means that the Government loses economy of scale because all the service providers would build dedicated-mode services. IE, we would drop MPLS and stick with leased lines and instead of shared-seat MSSP operators you end up with dedicated contract staff. That gets way pricey.<BR/><BR/>As a contractor, there are some things that I cannot do. I cannot accredit systems. I cannot accept risk. I cannot report to OMB/GAO. However, I can support the client agencies who do--and that's a key difference.<BR/><BR/>Back in my CISO days (last year), the policy statement for us was to provide a "level of protection equivalent or superior to client government agencies".<BR/>You're highly vindicated though--there is a huge need for guidance. The official NIST line is "Make a risk-based decision and consider compensating controls".<BR/><BR/>Scope creep on the Government's behalf means that service providers, state and local government, and software vendors will some day reside within our scope of responsibility.rybolovhttps://www.blogger.com/profile/09022232218670789122noreply@blogger.com