The GAO Report

I have read the GAO report (pdf). Really my only comment is “DUH!”. Tell us something we don’t know. But it may be shocking to Congress.

The report basically recaps all the deficiencies that I already knew, and some that I didn’t know. Like the IRS, they apparently have huge deficiencies, despite the SCSEM that I ran up against a number of years ago. Which was a decent policy, their issue (as with most) is implementation.

So, if you are having issues getting your policy in line. I heard the SecurityExpressions can do an “Audit on Network Discovery”, or something like that. Unless you get all OKs on your policy check when you attach your laptop to the network, you don’t get network access. Maybe it was just a beta thing that the Sales guy said was on the horizon, but it would be cool if you could do it.

Imagine that only certain MAC Address are allowed to connect and those MACs must be compliant with the system policy!

The report also calls out Inventory and Configuration management, which falls in with what I have already said above. If you know what machines are allowed to connect to the system and the configuration is enforced or the machine is denied access – then the ISSM will know exactly what is going on.

GAO also says that the Inspector Generals are not enforcing a common testing criterion. Well. What do they want? The 800-53a is in third public draft, and given the size of some of these agencies, and the money given to the IG for independent review – how is an IG to get through it all.

It is worrisome for me that the GAO put this report together the way they did. Not that it should really changed anything. I would worry that Congress would put their considerably sized nose in the middle of NIST’s and OMB’s business.

Congress and GAO shouldn’t be expecting miracles and they can’t compare FISMA to SOX, GLBA and HIPAA. Those are laws for the public and there are real penalties for non-compliance. I have yet to see a CIO go down for not keeping a major system inventory or for accepting a risk that could have been mitigated.

Call me an optimist, but every time a report comes out or there is a new public draft. I think “Oh goody, now we are getting somewhere”. Perhaps the 53A will help somewhat, maybe after the SCAP conference in September some new tools will come out.

But this is not that.

FIPS-140-3 Draft

FIPS-140-3 Has been released. As always, I will review at my leisure and post my review (if I actually get around to it).

Here is an interesting article that doesn't help the case for the Data Breach Act.

Congressional Action

I am not a fan of Norm Coleman, who happens to be a Republican senator from Minnesota. Norm has decided that he wants to amend FISMA. It is called the "Federal Agency Data Breach Protection Act", and like most legislation, has no teeth. It leaves the implementation to OMB and sets no timeline for public notification of a breach. It is identical to H.R. 2124, which is not unusual. Since the same text needs to be passed in both the House and Senate.

So if you are reading this and thinking to yourself, "Oh deary me, now I have to change everything". Fret not. First, these bills must become law. Then OMB needs to decide how they are going to implement it. Lastly, you are probably doing all of what it is asking already. The only thing that agencies will really have to worry about is making sure that inventories are controlled and when employees or contractors are terminated that the government equipment is returned.

Further, this has been tried before and didn't make it. If you are an outsourced system, you should know that you will be subject to law.

800-53A Third Public Draft

I briefly looked at the third public draft of the 800-53A. For anyone who knows me, I told you so. You will notice that the catalog is completely different from the second public draft.

Let me begin with my initial problem with using draft documents. First, the second public draft did not cover all the controls for revision 0 or revision 1 of the 800-53. So here we are with procedures gaps, which led to organizations writing their own procedures which are not consistent or do not cover all the controls in the baseline.

Second, the format. Take the differences between these two. By show of hands, let me know who is adopted on the old format and now will have to start over or make significant changes to their documents.

Finally, final is final and draft is draft. Anyone who has been paid based on final delivery of his or her documents knows that. Draft, to me, means that it is apt to change. I would have preferred that we all had reviewed it and sent in our comments rather than have been forced to use it and now needing to start over.

I do not blame the certifiers (for the most part). I know that the government entities are requiring that you use it. However, there are some of you out there that use it so that you did not have to do “old school” procedures. You can call it procedures because it came from NIST. That is not what the document is intended to be. The intent, as I read it, is for the document to be used as a starting point for developing procedures. A procedure is not a narrative; a procedure is a list of steps performed that either pass or fail.

In addition, they are going to tie the 53A procedure description to the SCAP checklists, which removes some of the work for technical analysis. I am not against this since it will remove confusion and work from technical portion of an assessment.

I am not against helping entities get through the process. I am against dumbing down the process to the point where it can no longer be more than a “check box” exercise. Value can be gained from a certification, and when done correctly it helps manage enterprise risk.