Thursday, July 27, 2006

Another Sign C&A is Really Broken

I just read an exceptionally interesting post at the ClearNet Security Blog. It explains the Certification and Accreditation (C&A) process implemented by the US Department of Veteran's Affairs. Yes, those are the same guys who lost that laptop with my Air Force records. Consider this blog excerpt:

Right about this time the second bomb shell went off.... The guy up front promptly says that all test results we collect are to be given to the VA. This makes sense as it is their computers and they are entitled to our analyzed results right? Wrong! The guy corrects himself and says that the results are not to be analyzed by the auditors but by VA personnel. Hmm...so at this point I am not touching a computer nor am I analyzing the results for risk or what is wrong. Something seems very broken about this process at this point.

Please read the whole post for the entire story. I hope CNS continues to share their experiences.

2 comments:

Tim B said...

I am hoping that the follow-on post on that blog contains a description of how the blogger's ethical obligation forced him to report this somewhere than in a blog after the fact.

The C&A Process is not what is broken necessarily, but rather the people in the Government who do not apply it properly and, in this case, ethically.

Richard Bejtlich said...

Here's part 2. Here's part 3.