Thanks to SANS Newsbites I read the article FISMA Fizzles. I've written about FISMA before. The new article points me to a potential wise man who understands that FISMA is a joke: ex-Energy Department CIO Bruce Brody. This comment cut straight to the problem with FISMA:
OMB's FISMA implementation basically boils security down to paperwork exercises, and score card pressure ensures it stays that way. But that's not how cybersecurity works; it requires real-time monitoring, updating and patching, Brody says, which isn't necessarily reducible to a paper trail. (emphasis added)
Did I read "real-time monitoring"? Wow. Mr. Brody "gets it." Consider the alternative point of view:
FISMA has its defenders. An agency fully compliant with FISMA is a secure agency, says Scott Charbo, Homeland Security Department CIO. The law and cybersecurity are "the same thing in my mind," he says.
I see. Reading the DHS' grade history shows they have a perfect F record for the last three years. Just because DHS is in a sorry state and its scores are an F doesn't mean that an agency with straight A's is secure!
Let's get back to monitoring. Mr. Brody has correctly recognized that the absolute first priority for a security program is to figure out what is happening. If you have no idea what is happening in your enterprise, how can you expect to "secure" it? It doesn't even make sense to figure out what systems you have before you start monitoring. When you start watching traffic, intruders will show you your systems. The most vulnerable and/or interesting targets will get the most attention from the adversary, and you should address those first.
If you are a federal agency and you want to learn more about implementing monitoring, please contact me: richard at taosecurity dot com. I can teach you what to do, efficiently and cheaply. I may not be wearing my blue uniform any more, but I want to do my part. FISMA is not helping.