Friday, June 09, 2006

Certification & Accreditation Re-vitalization

Thanks to the newest SANS NewsBites (link will work shortly), I learned of the Certification & Accreditation Re-vitalization Initiative launched by the Chief Information Officer from the office of the Director of National Intelligence. According to this letter from retired Maj Gen Dale Meyerrose, the C&A process is too costly and slow, due to "widely divergent standards and controls, the lack of a robust set of automated tools and reliance upon manual review." He wants to "move from a posture of risk aversion to one of risk management, from a concept of information secuirty at all costs to one of getting the right information to the right people at the right time with some reasonable assurance of timeliness, accuracy, authenticity, security, and a host of other attributes."

That all sounds well and good, but it misses the key problem with C&A -- it doesn't prevent intrusions. It may be seen as a necessary condition for "securing" a system (which is not really possible anyway), but it is in no way sufficient. The forum set up to foster discussion of this initiative contains an insightful thought: Why do we have C&A at all? It's unfortunately that Gen Meyerrose didn't acknowledge that C&A doesn't provide much in the way of "security" at all, but that would admit that .gov and .mil have spent billions to no end. Woops.

8 comments:

Tim Bilbro said...

The point of a C&A process is not to prevent intrusions. Properly executed, a C&A process will ensure that you have assessed your risk, measured your compliance with your own policies and, most of all, have someone of authority stand up and take ownership for the security of the system.

Conceptually, the idea of certification and accreditation does make for better security. The execution of the C&A process, so far, has not be all the effective. At least with the forum, they are trying to enlist better ways to do it.

Richard Bejtlich said...

Tim, are you serious? By intrusion I mean a compromise of CIA. So if C&A isn't supposed to prevent a compromise of CIA, then why bother with those items you cite? Neat blog by the way.

Alvin Liau said...

The problem with C&As is that there doesn't seem to be one standard to work towards. However, we should fix it (yes, I know this is near impossible) not throw the baby out with the bathwater.

I've been on the receiving end of C&As for the past 5-6 years now - and all of our systems/networks are much more secure because of them. Among the myriad of items that are looked at, intrusion prevention is one of them. If someone elses C&A didn't include looking at intrusion prevention, see my first sentence.

The other issue I see with C&As is that a lot of folks on the receiving end associate C&As with a visit from the IRS. They should learn do work with the accreditation folks, and not against them. Yes, I know this is sometimes impossible because of manpower issues, but you know what, securing your systems/networks has to be done.

My two cents.

Anonymous said...

As a (new) DoDIIS certifier, I think the C&A process is definitely needed, although it should be tweaked. The one thing you're missing is that anything related to intelligence is automatically assigned to the upper enclave. However, that doesn't mean that developers and sysadmins should be free to engage in poor security practices. The biggest problem that I've seen is with the ATOs, IATOs, etc. Groups would recieve an IATO and continue to request a new IATO every year without having to go through the process to obtain an ATO (good for 3 years).

wpn said...

C&A is fine, but it's only part of the work. You can use a lack of C&A as something to blame when you have a security breach, but as Richard points out, detection and response are just as important to the success of your security program.

Shirkdog said...

I was working in a department where all the C&A paperwork was completed, yet no one was watching the actually technology in the C&A. Great, you have IDS systems on the border routers, uh...are you watching them?? I was picking up root passwords over ftp and other fun things. :-)

A completed C&A is an approval to operate, but does not mean that you system is secure enough to never have it's CIA compromised. C&A does not mean "Your entire security program is completed for 3 years".

chris said...

C&A's are good in that they help you assess your risks, point out areas that you may not have a plan, like COOP, and help you evaulate risk versus gain.

However, far too much time and effort is spent preparing 5+ pounds of paper that is rarely, if ever, read while far too little time and effort is spent actually doing security.

In other words, they are kind of like many CISSP's, they can talk about security but doing security is a whole n'other matter. ;-)

eMarv said...

i wonder how companies like google, Amazon.com or bank of america do C&A...can't the IC learn from them?

I bet they don't create reams of docs that no one reads...