tag:blogger.com,1999:blog-4088979.post114326114154941465..comments2023-10-16T06:06:25.012-04:00Comments on TaoSecurity Blog: FISMA Is a JokeRichard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.comBlogger5125tag:blogger.com,1999:blog-4088979.post-41964538779055330042009-02-27T19:17:00.000-05:002009-02-27T19:17:00.000-05:00I am a government employee. While we don't use FIS...I am a government employee. While we don't use FISMA for out compliance, we do use a related bureaucratic process called DIACAP. Our last package submitted was roughly 1200 pages. I have been saying that this documentation is our own worst enemy.Brianhttps://www.blogger.com/profile/12372914533951511524noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1143698578509036882006-03-30T01:02:00.000-05:002006-03-30T01:02:00.000-05:00FISMA has its defenders. An agency fully compliant...<I>FISMA has its defenders. An agency fully compliant with FISMA is a secure agency, says Scott Charbo, Homeland Security Department CIO. The law and cybersecurity are "the same thing in my mind," he says.</I><BR/><BR/>No wonder why they got an F in computer security....<BR/><I> Source : <A HREF="http://www.washingtonpost.com/wp-dyn/content/article/2006/03/15/AR2006031501589.html" REL="nofollow">DHS Gets Another F in Computer Security</A></I>Johan & Estellehttps://www.blogger.com/profile/02756898485423152145noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1143682827964750402006-03-29T20:40:00.000-05:002006-03-29T20:40:00.000-05:00A couple of years ago I was heeding the buzz aroun...A couple of years ago I was heeding the buzz around the vulnerabilities exploited by Nachi...but postponed the patch fest in part because of a state-mandated security policy audit. Nachi showed up...JimmytheGeekhttps://www.blogger.com/profile/14515949902737764574noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1143504660453144532006-03-27T19:11:00.000-05:002006-03-27T19:11:00.000-05:00I've recently been having problems dealing with a ...I've recently been having problems dealing with a Federal agency that's deep in the throes of FISMA bureaucracy. One of our divisions is trying to find a way to safely put a machine at one of their remote sites, and I've been trying to provide advice. The colocation means we need to figure out how to secure their systems from ours, and ours from theirs, while still getting necessary data transfers done.<BR/><BR/>Meanwhile, their security folks send emails referring to signoffs by people with certain titles, and want us to do the same sort of thing. Worse, their folks with the titles necessary to sign off on nonexistent paperwork seemingly don't know enough about networking to discuss the issues with us. We can't even get scope or requirements, let alone any kind of design discussion started.<BR/><BR/>I made the mistake of looking at email about that mess while on vacation, and started muttering about FISMA in front of a friend we were skiing with. About 50 years ago, he had landed in North Africa, Sicily, Italy, and Normandy, then fought through the Battle of the Bulge. After all that, he taught school for US DoDDS for 30+ years. He reminded me of the difference between peacetime soldiers, and wartime soldiers.<BR/><BR/>I think that dichotomy is simlar to what we're seeing here. FISMA does a great job of enhancing headcount to fill out all the paperwork, which is the point of any bureaucratic empire. It's wasteful and has opportunity costs when it comes to defense planning, though is otherwise not directly harmful when you're not under regular attack.<BR/><BR/>However, those of us who are fighting day in and day out tend to have little to no understanding of REMFs. If we were to spend our time filling out all that FISMA, ISO9000, etc. paperwork instead of paying attention to our threat assessments, our systems would be compromised at an even greater rate.<BR/><BR/>Instead of FISMA, "the book" for us needs to be a combat manual.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1143312241626749032006-03-25T13:44:00.000-05:002006-03-25T13:44:00.000-05:00Excellent post! The company I work for has recentl...Excellent post! The company I work for has recently been placed under the umbrella of gov't regulations, including the battery of questions from the FISMA. I agree with you and Mr. Brody. FISMA does some things good, I will give it that. It puts heavy emphasis on documentation, policies, and standard procedures, which is very important. But yes, it completely ignores what I would consider the "active" part of security; that part that is ever-changing, active, realtime, subjective.<BR/><BR/>The best approach would hopefully blend things like the FISMA into actual hands-on penetration testing and evaluation...something consultants would be more appropriate to perform as opposed to internal gov't systems.<BR/><BR/>Of note, I also understand the need to have an objective scorecard. When you start butting up against judicial law, you have to have things spelled out. Realtime law-changing just does not happen most of the time. If a company/agency has a low scorecard rating against a battery of questions and objectives (FISMA) and something negative happens, this allows people to point fingers. This is one of the seeming requirements of gov't and law. You gotta have a line...I don't think there is a grey line called "reasonable to a security officer" line. (In reference to many laws like sexual harassment laws that point to what a "reasonable" person would feel...)<BR/><BR/>-LonerVampAnonymousnoreply@blogger.com