Certification & Accreditation Re-vitalization

Thanks to the newest SANS NewsBites (link will work shortly), I learned of the Certification & Accreditation Re-vitalization Initiative launched by the Chief Information Officer from the office of the Director of National Intelligence. According to this letter from retired Maj Gen Dale Meyerrose, the C&A process is too costly and slow, due to "widely divergent standards and controls, the lack of a robust set of automated tools and reliance upon manual review." He wants to "move from a posture of risk aversion to one of risk management, from a concept of information secuirty at all costs to one of getting the right information to the right people at the right time with some reasonable assurance of timeliness, accuracy, authenticity, security, and a host of other attributes."

That all sounds well and good, but it misses the key problem with C&A -- it doesn't prevent intrusions. It may be seen as a necessary condition for "securing" a system (which is not really possible anyway), but it is in no way sufficient. The forum set up to foster discussion of this initiative contains an insightful thought: Why do we have C&A at all? It's unfortunately that Gen Meyerrose didn't acknowledge that C&A doesn't provide much in the way of "security" at all, but that would admit that .gov and .mil have spent billions to no end. Woops.

Comments

Anonymous said…
The point of a C&A process is not to prevent intrusions. Properly executed, a C&A process will ensure that you have assessed your risk, measured your compliance with your own policies and, most of all, have someone of authority stand up and take ownership for the security of the system.

Conceptually, the idea of certification and accreditation does make for better security. The execution of the C&A process, so far, has not be all the effective. At least with the forum, they are trying to enlist better ways to do it.
4:43 PM
Richard Bejtlich said…
Tim, are you serious? By intrusion I mean a compromise of CIA. So if C&A isn't supposed to prevent a compromise of CIA, then why bother with those items you cite? Neat blog by the way.
4:46 PM
Anonymous said…
The problem with C&As is that there doesn't seem to be one standard to work towards. However, we should fix it (yes, I know this is near impossible) not throw the baby out with the bathwater.

I've been on the receiving end of C&As for the past 5-6 years now - and all of our systems/networks are much more secure because of them. Among the myriad of items that are looked at, intrusion prevention is one of them. If someone elses C&A didn't include looking at intrusion prevention, see my first sentence.

The other issue I see with C&As is that a lot of folks on the receiving end associate C&As with a visit from the IRS. They should learn do work with the accreditation folks, and not against them. Yes, I know this is sometimes impossible because of manpower issues, but you know what, securing your systems/networks has to be done.

My two cents.
12:18 AM
Anonymous said…
As a (new) DoDIIS certifier, I think the C&A process is definitely needed, although it should be tweaked. The one thing you're missing is that anything related to intelligence is automatically assigned to the upper enclave. However, that doesn't mean that developers and sysadmins should be free to engage in poor security practices. The biggest problem that I've seen is with the ATOs, IATOs, etc. Groups would recieve an IATO and continue to request a new IATO every year without having to go through the process to obtain an ATO (good for 3 years).
9:01 PM
Anonymous said…
C&A is fine, but it's only part of the work. You can use a lack of C&A as something to blame when you have a security breach, but as Richard points out, detection and response are just as important to the success of your security program.
9:59 AM
Shirkdog said…
I was working in a department where all the C&A paperwork was completed, yet no one was watching the actually technology in the C&A. Great, you have IDS systems on the border routers, uh...are you watching them?? I was picking up root passwords over ftp and other fun things. :-)

A completed C&A is an approval to operate, but does not mean that you system is secure enough to never have it's CIA compromised. C&A does not mean "Your entire security program is completed for 3 years".
11:07 AM
Anonymous said…
C&A's are good in that they help you assess your risks, point out areas that you may not have a plan, like COOP, and help you evaulate risk versus gain.

However, far too much time and effort is spent preparing 5+ pounds of paper that is rarely, if ever, read while far too little time and effort is spent actually doing security.

In other words, they are kind of like many CISSP's, they can talk about security but doing security is a whole n'other matter. ;-)
8:46 PM
Anonymous said…
i wonder how companies like google, Amazon.com or bank of america do C&A...can't the IC learn from them?

I bet they don't create reams of docs that no one reads...
3:32 AM
Post a Comment

Popular posts from this blog

Zeek in Action Videos

Image
This is a quick note to point blog readers to my Zeek in Action YouTube video series for the Zeek network security monitoring project .  Each video addresses a topic that I think might be of interest to people trying to understand their network using Zeek and adjacent tools and approaches, like Suricata, Wireshark, and so on.  I am especially pleased with Video 6 on monitoring wireless networks . It took me several weeks to research material for this video. I had to buy new hardware and experiment with a Linux distro that I had not used before -- Parrot .  Please like and subscribe, and let me know if there is a topic you think might make a good video.
Read more

MITRE ATT&CK Tactics Are Not Tactics

Image
Just what are "tactics"? Introduction MITRE ATT&CK  is a great resource, but something about it has bothered me since I first heard about it several years ago. It's a minor point, but I wanted to document it in case it confuses anyone else. The MITRE ATT&CK Design and Philosophy document from March 2020 says the following: At a high-level, ATT&CK is a behavioral model that consists of the following core components: • Tactics, denoting short-term, tactical adversary goals during an attack; • Techniques, describing the means by which adversaries achieve tactical goals; • Sub-techniques, describing more specific means by which adversaries achieve tactical goals at a lower level than techniques; and • Documented adversary usage of techniques, their procedures, and other metadata. My concern is with MITRE's definition of "tactics" as "short-term, tactical adversary goals during an attack," which is oddly recursive. The key word in the tacti
Read more

New Book! The Best of TaoSecurity Blog, Volume 4

Image
  I've completed the TaoSecurity Blog book series . The new book is  The Best of TaoSecurity Blog, Volume 4: Beyond the Blog with Articles, Testimony, and Scholarship .  It's available now for Kindle , and I'm working on the print edition.  I'm running a 50% off promo on Volumes 1-3 on Kindle through midnight 20 April. Take advantage before the prices go back up. I described the new title thus: Go beyond TaoSecurity Blog with this new volume from author Richard Bejtlich. In the first three volumes of the series, Mr. Bejtlich selected and republished the very best entries from 18 years of writing and over 18 million blog views, along with commentaries and additional material.  In this title, Mr. Bejtlich collects material that has not been published elsewhere, including articles that are no longer available or are stored in assorted digital or physical archives. Volume 4 offers early white papers that Mr. Bejtlich wrote as a network defender, either for technical or pol
Read more