Friday, March 24, 2006

FISMA Is a Joke

Thanks to SANS Newsbites I read the article FISMA Fizzles. I've written about FISMA before. The new article points me to a potential wise man who understands that FISMA is a joke: ex-Energy Department CIO Bruce Brody. This comment cut straight to the problem with FISMA:

OMB's FISMA implementation basically boils security down to paperwork exercises, and score card pressure ensures it stays that way. But that's not how cybersecurity works; it requires real-time monitoring, updating and patching, Brody says, which isn't necessarily reducible to a paper trail. (emphasis added)

Did I read "real-time monitoring"? Wow. Mr. Brody "gets it." Consider the alternative point of view:

FISMA has its defenders. An agency fully compliant with FISMA is a secure agency, says Scott Charbo, Homeland Security Department CIO. The law and cybersecurity are "the same thing in my mind," he says.

I see. Reading the DHS' grade history shows they have a perfect F record for the last three years. Just because DHS is in a sorry state and its scores are an F doesn't mean that an agency with straight A's is secure!

Let's get back to monitoring. Mr. Brody has correctly recognized that the absolute first priority for a security program is to figure out what is happening. If you have no idea what is happening in your enterprise, how can you expect to "secure" it? It doesn't even make sense to figure out what systems you have before you start monitoring. When you start watching traffic, intruders will show you your systems. The most vulnerable and/or interesting targets will get the most attention from the adversary, and you should address those first.

If you are a federal agency and you want to learn more about implementing monitoring, please contact me: richard at taosecurity dot com. I can teach you what to do, efficiently and cheaply. I may not be wearing my blue uniform any more, but I want to do my part. FISMA is not helping.

6 comments:

Anonymous said...

Excellent post! The company I work for has recently been placed under the umbrella of gov't regulations, including the battery of questions from the FISMA. I agree with you and Mr. Brody. FISMA does some things good, I will give it that. It puts heavy emphasis on documentation, policies, and standard procedures, which is very important. But yes, it completely ignores what I would consider the "active" part of security; that part that is ever-changing, active, realtime, subjective.

The best approach would hopefully blend things like the FISMA into actual hands-on penetration testing and evaluation...something consultants would be more appropriate to perform as opposed to internal gov't systems.

Of note, I also understand the need to have an objective scorecard. When you start butting up against judicial law, you have to have things spelled out. Realtime law-changing just does not happen most of the time. If a company/agency has a low scorecard rating against a battery of questions and objectives (FISMA) and something negative happens, this allows people to point fingers. This is one of the seeming requirements of gov't and law. You gotta have a line...I don't think there is a grey line called "reasonable to a security officer" line. (In reference to many laws like sexual harassment laws that point to what a "reasonable" person would feel...)

-LonerVamp

mcburton said...

I think we are getting very close to the real issue. How do we enforce accountability in cyber-security? The legal system is a pre-existing infrastructure designed to manage and enforce accountability. LonerVamp, you are totally right, we have to "have a line" IF we are to use the legal system. But to be "reasonably secure" that line is constantly shifting, something the legal system was not designed to handle (purposefully I might argue). There is operational security on one side and then the management on the other. Richard,I would agree, to maintain operational security we must perform continuous NSM and remediation. But can you scale purely operational security practices all the way up to an inter-departmental level? I think there would need to be some sort of meta-framework that acts as an umbrella that allows individuals who are not cyber-security professionals to participate (positively, as opposed to the situation we have now), enforces accountability and encourages continuous, flexible, practical and reasonable NSM and remediation. The reality of the situation is there aren't enough people who "get it" and I am not convinced that will ever change. FISMA appears to be an attempt, albeit poor one, to use the legal system as that umbrella
There is no purely technical solution to this problem, just as there is no purely legal/managerial solution...

Richard Johnson said...

I've recently been having problems dealing with a Federal agency that's deep in the throes of FISMA bureaucracy. One of our divisions is trying to find a way to safely put a machine at one of their remote sites, and I've been trying to provide advice. The colocation means we need to figure out how to secure their systems from ours, and ours from theirs, while still getting necessary data transfers done.

Meanwhile, their security folks send emails referring to signoffs by people with certain titles, and want us to do the same sort of thing. Worse, their folks with the titles necessary to sign off on nonexistent paperwork seemingly don't know enough about networking to discuss the issues with us. We can't even get scope or requirements, let alone any kind of design discussion started.

I made the mistake of looking at email about that mess while on vacation, and started muttering about FISMA in front of a friend we were skiing with. About 50 years ago, he had landed in North Africa, Sicily, Italy, and Normandy, then fought through the Battle of the Bulge. After all that, he taught school for US DoDDS for 30+ years. He reminded me of the difference between peacetime soldiers, and wartime soldiers.

I think that dichotomy is simlar to what we're seeing here. FISMA does a great job of enhancing headcount to fill out all the paperwork, which is the point of any bureaucratic empire. It's wasteful and has opportunity costs when it comes to defense planning, though is otherwise not directly harmful when you're not under regular attack.

However, those of us who are fighting day in and day out tend to have little to no understanding of REMFs. If we were to spend our time filling out all that FISMA, ISO9000, etc. paperwork instead of paying attention to our threat assessments, our systems would be compromised at an even greater rate.

Instead of FISMA, "the book" for us needs to be a combat manual.

JimmytheGeek said...

A couple of years ago I was heeding the buzz around the vulnerabilities exploited by Nachi...but postponed the patch fest in part because of a state-mandated security policy audit. Nachi showed up...

jdenoy said...

FISMA has its defenders. An agency fully compliant with FISMA is a secure agency, says Scott Charbo, Homeland Security Department CIO. The law and cybersecurity are "the same thing in my mind," he says.

No wonder why they got an F in computer security....
Source : DHS Gets Another F in Computer Security

Brian said...

I am a government employee. While we don't use FISMA for out compliance, we do use a related bureaucratic process called DIACAP. Our last package submitted was roughly 1200 pages. I have been saying that this documentation is our own worst enemy.