FISMA Is a Joke
Thanks to SANS Newsbites I read the article FISMA Fizzles. I've written about FISMA before. The new article points me to a potential wise man who understands that FISMA is a joke: ex-Energy Department CIO Bruce Brody. This comment cut straight to the problem with FISMA:
OMB's FISMA implementation basically boils security down to paperwork exercises, and score card pressure ensures it stays that way. But that's not how cybersecurity works; it requires real-time monitoring, updating and patching, Brody says, which isn't necessarily reducible to a paper trail. (emphasis added)
Did I read "real-time monitoring"? Wow. Mr. Brody "gets it." Consider the alternative point of view:
FISMA has its defenders. An agency fully compliant with FISMA is a secure agency, says Scott Charbo, Homeland Security Department CIO. The law and cybersecurity are "the same thing in my mind," he says.
I see. Reading the DHS' grade history shows they have a perfect F record for the last three years. Just because DHS is in a sorry state and its scores are an F doesn't mean that an agency with straight A's is secure!
Let's get back to monitoring. Mr. Brody has correctly recognized that the absolute first priority for a security program is to figure out what is happening. If you have no idea what is happening in your enterprise, how can you expect to "secure" it? It doesn't even make sense to figure out what systems you have before you start monitoring. When you start watching traffic, intruders will show you your systems. The most vulnerable and/or interesting targets will get the most attention from the adversary, and you should address those first.
If you are a federal agency and you want to learn more about implementing monitoring, please contact me: richard at taosecurity dot com. I can teach you what to do, efficiently and cheaply. I may not be wearing my blue uniform any more, but I want to do my part. FISMA is not helping.
OMB's FISMA implementation basically boils security down to paperwork exercises, and score card pressure ensures it stays that way. But that's not how cybersecurity works; it requires real-time monitoring, updating and patching, Brody says, which isn't necessarily reducible to a paper trail. (emphasis added)
Did I read "real-time monitoring"? Wow. Mr. Brody "gets it." Consider the alternative point of view:
FISMA has its defenders. An agency fully compliant with FISMA is a secure agency, says Scott Charbo, Homeland Security Department CIO. The law and cybersecurity are "the same thing in my mind," he says.
I see. Reading the DHS' grade history shows they have a perfect F record for the last three years. Just because DHS is in a sorry state and its scores are an F doesn't mean that an agency with straight A's is secure!
Let's get back to monitoring. Mr. Brody has correctly recognized that the absolute first priority for a security program is to figure out what is happening. If you have no idea what is happening in your enterprise, how can you expect to "secure" it? It doesn't even make sense to figure out what systems you have before you start monitoring. When you start watching traffic, intruders will show you your systems. The most vulnerable and/or interesting targets will get the most attention from the adversary, and you should address those first.If you are a federal agency and you want to learn more about implementing monitoring, please contact me: richard at taosecurity dot com. I can teach you what to do, efficiently and cheaply. I may not be wearing my blue uniform any more, but I want to do my part. FISMA is not helping.
Comments
The best approach would hopefully blend things like the FISMA into actual hands-on penetration testing and evaluation...something consultants would be more appropriate to perform as opposed to internal gov't systems.
Of note, I also understand the need to have an objective scorecard. When you start butting up against judicial law, you have to have things spelled out. Realtime law-changing just does not happen most of the time. If a company/agency has a low scorecard rating against a battery of questions and objectives (FISMA) and something negative happens, this allows people to point fingers. This is one of the seeming requirements of gov't and law. You gotta have a line...I don't think there is a grey line called "reasonable to a security officer" line. (In reference to many laws like sexual harassment laws that point to what a "reasonable" person would feel...)
-LonerVamp
Meanwhile, their security folks send emails referring to signoffs by people with certain titles, and want us to do the same sort of thing. Worse, their folks with the titles necessary to sign off on nonexistent paperwork seemingly don't know enough about networking to discuss the issues with us. We can't even get scope or requirements, let alone any kind of design discussion started.
I made the mistake of looking at email about that mess while on vacation, and started muttering about FISMA in front of a friend we were skiing with. About 50 years ago, he had landed in North Africa, Sicily, Italy, and Normandy, then fought through the Battle of the Bulge. After all that, he taught school for US DoDDS for 30+ years. He reminded me of the difference between peacetime soldiers, and wartime soldiers.
I think that dichotomy is simlar to what we're seeing here. FISMA does a great job of enhancing headcount to fill out all the paperwork, which is the point of any bureaucratic empire. It's wasteful and has opportunity costs when it comes to defense planning, though is otherwise not directly harmful when you're not under regular attack.
However, those of us who are fighting day in and day out tend to have little to no understanding of REMFs. If we were to spend our time filling out all that FISMA, ISO9000, etc. paperwork instead of paying attention to our threat assessments, our systems would be compromised at an even greater rate.
Instead of FISMA, "the book" for us needs to be a combat manual.
No wonder why they got an F in computer security....
Source : DHS Gets Another F in Computer Security