tag:blogger.com,1999:blog-4088979.post2751745516768492345..comments2023-10-16T06:06:25.012-04:00Comments on TaoSecurity Blog: Why DIARMF, "Continuous Monitoring," and other FISMA-isms FailRichard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.comBlogger18125tag:blogger.com,1999:blog-4088979.post-35477414465174936312015-04-30T10:40:17.839-04:002015-04-30T10:40:17.839-04:00"Monitor controls" is as vague as existi..."Monitor controls" is as vague as existing DISA STIGs that drive DIACAP C&A....<br /><br />Add to that the POORLY implemented S-CRAP OVAL code developed by the TAPESTRY contractor crew, and you have a REALLY BIG problem. From what I understand in speaking with their "TECH Support Team", the whole system was designed upside down, ie: tools to manage the software environment have yet to be developed, even to this very day. They simply jumped in and started coding with (mostly) inexperienced programmers, inexperienced systems software developers, no true visionary to lead, all while sunsetting the UNIX SRR scripts and the Gold Disk. Now, the GD could probably not have continued, but I believe the U-SRR scripts could have been incorporated into the envisioned futurescape. It is BY FAR much easier to script than to attempt to force Mitre's OVAL lexicon (created primarily and successfully for "Winders") to extrapolate data from UNIX/like systems.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-27998102276019076062012-05-26T21:16:00.615-04:002012-05-26T21:16:00.615-04:00All enterprise security frameworks will be contro...All enterprise security frameworks will be control based. It is the content within a specific control that will address the continuous monitoring requirement. ISSE, SDLC, RMF, DIACAP, etc. all have continuous monitoring components, which are validated through periodic self assessments. Enterprise security frameworks should be scalable to address new requirements as they arise, without having to overhaul the entire framework, which will only result in wasted tax dollars and a national security posture that will diminish during the transition, only to return to its original state. However, the implementers of the new framework will line their pockets something handsome. The deficiency is the lack of a motivated and trained workforce.<br /><br />LiquidAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-8794240024789295672012-05-21T13:38:11.183-04:002012-05-21T13:38:11.183-04:00The problem with DIACAP implementation results fro...The problem with DIACAP implementation results from all the additional processes introduced by the people that are charged with the implementation. DIACAP is outlined within DoDI 8510.01 and utilizes the security controls contained within DoDI 8500.2 which are further explained within the DIACAP Knowledge Service. DIACAP is fundamentally simple.<br /><br />In the simplest form DIACAP should work as such;<br />- Collect the data required to identify the resource and populate the attributes that comprise the System Identification Profile (SIP)<br />- Use the Mission Assurance Category (MAC) and Confidentiality Level (CL) to identify the security controls required for resource protection and list them on the DIACAP Implementation Plan (DIP) <br />- Track the implementation of required security controls using the DIP<br />- Perform a controls validation test (CVT) to verify and validate (V&V) that the controls have been implemented correctly <br />- Use the results from the CVT interviews, documentation/demonstrations, observations, and tests (IDOT) to assign a compliance rating to each of the required security controls<br />- Indicate the compliance rating for each control on the Scorecard<br />- Transfer all non-compliant (NC) and not applicable (NA) controls to the Plan of Action and Milestones (POA&M)<br />- Assign a severity category to all non-compliant security controls on the POA&M<br />- Work the POA&M items with the highest severity category and impact code first<br />- Meet with the Certifying Authority (CA) to review the DIACAP Artifacts (SIP, DIP, Scorecard, and POA&M) and receive an accreditation determination<br />- CA recommends that an accreditation decision be made by the Designated Approval Authority (DAA) and/or may require additional POA&M items to be mitigated<br />- DAA annotates the accreditation decision on the Scorecard<br />- Maintain compliance posture through periodic CVTs and annual reviews<br /><br />The introduction of processes that deviate or attempt to modify DIACAP is what causes the complication. For instance, DIACAP recognizes that a control may be inherited from another source but there are organizations that attempt to introduce the inheritance of a portion of a control - the validation step. Understandably this is to report to managers the actual validation step of the control that is non-compliant and subsequently the organization responsible; ideally so it can be properly funded and fixed and not to shift blame. However, one can argue that if any portion of a security control is inherited, the control is inherited. After all, if any portion of a security control is non-compliant, the whole security control is non-compliant.<br /> <br />DIACAP was introduced to manage the level of risk associated with interconnecting systems. Unfortunately, it has been twisted into something that is in some extreme cases crippling to the organization. The problems that are present in DIACAP will be present in DIARMF unless the implementation is handled more delicately. The people that are responsible need to be properly trained and excessive modification/deviation from the process should be restricted.<br /> <br />For instance consider a high school report card for a child. The report card lists all the courses that the child is taking and the present condition of the child’s performance in each of those courses. Whether the child’s parents realizes it or not they either accept the performance and the associated risk or put into action a plan to improve the performance and consequently the grade. Periodic assessments can help reassure that the plan is working but the true performance gauge is the next report card. I hope the similarities to the DIACAP DIP, Scorecard, and POA&M are obvious. RGAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-50669091472201434282012-05-10T12:56:09.097-04:002012-05-10T12:56:09.097-04:00While I agree that the focus of information securi...While I agree that the focus of information security should not be solely on compliance of security controls, compliance does provide a good starting point for managers to gauge the cost of security. <br />I will build upon the football analogy introduced in the article “Why DIARMF, "Continuous Monitoring," and other FISMA-isms Fail” by Richard Bejtlich. Security controls provide the criteria in which one can score the game. If the continuously monitored security control is the “game score”, then it allows the coach to change factors as needed to improve team performance and consequently the score. For instance, it might be necessary to put the fastest 40 yard player in for a deep pass play, or the heaviest player in for a special block. Measuring compliance of security controls provides managers with a method for acquiring the funds necessary to safeguard critical system resources that may otherwise be left exposed. Security costs money and managers must juggle between protection of resources and balanced budgets. <br />Continuously monitoring security controls at an interval relevant for the security control and the protection of the resource is essential to gauging how well you are playing the game. No resource is absolutely secure. Implementing and continuously monitoring security controls provides a point of origin for further security efforts. Obviously a system that is in total compliance is still vulnerable. However, the risk of a threat agent exploiting vulnerabilities on a resource that is in compliance is reduced. Completely securing a resource is not the idea behind compliance; it is instead focused on reducing risk to a level acceptable to senior managers. RGAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-36898326245410022942012-01-31T12:37:54.899-05:002012-01-31T12:37:54.899-05:00Though I like the idea of a common security langua...Though I like the idea of a common security language and framework, OMG, quick! the aspirins! We are in for a more rude awkening than what we have run into with DIACAP implementations.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-25436026922792139212012-01-25T21:53:12.430-05:002012-01-25T21:53:12.430-05:00"Monitor controls" is as vague as existi..."Monitor controls" is as vague as existing DISA STIGs that drive DIACAP C&A. The effectiveness will be a "it depends" matter. If a control to be monitored is "existence of affirmative executable constraints" (i.e., NAC/NAP disallowing other than defined executables) then "monitor controls" is effective. It is means running Retina regularly then it is one more bureaucratic boondoggle.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-20468452019491237252012-01-09T20:13:04.552-05:002012-01-09T20:13:04.552-05:00Hey Anonymous who said I bash FISMA... this blog h...Hey Anonymous who said I bash FISMA... this blog has dozens of posts on what the Feds should do instead of FISMA. For example, from 2007: <a href="http://taosecurity.blogspot.com/2007/04/what-should-feds-do.html" rel="nofollow">What the Feds Should Do</a>.Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-12625843896582110892012-01-09T16:38:07.188-05:002012-01-09T16:38:07.188-05:00Interesting analogy, but the statement, "...u...Interesting analogy, but the statement, "...under the new system, a box can be totally owned but appear "green" on the FISMA dashboard because it's compliant with controls. Why? There is no emphasis on threat monitoring -- incident detection and response -- which is the only hope we have against any real adversary", is misleading as it implies there is no link between security controls and an incident. In every incident I can think of at my organization, it was a failed control or a known (and accepted) missing control that resulted in an incident and it was other controls in place that minimized impact, and led to detection and recovery. Also, authorizing officials and assessors should be taking threats and threat monitoring information into account. I do agree that it would be useful to better connect more real-time threat data as part of the assessments and there have been some products where that has been attempted, but I'm not aware of any products that were actually successful. <br /><br />The football analogy doesn't quite work since in football both teams have to follow the same set of rules, etc. With IT security, the good guys have limited budgets, must protect data despite flawed consumer grade products (that system users insist on having as soon as they are available), and must deal with complex architectures and the need for a lot of control exceptions to allow work to get done. The only way the good guys can score is to not let the bad guys score (i.e. we can only defend). The bad guys need very small budgets to attack, can attack from anywhere in the world, and all they have to do is find one bug in one piece of widely distributed software or a single device that is not up-to-date on patches, and they can score against thousands of computers and use their access to generate profit. Also, in football, if your team does well, you attract more fans and get bigger budgets. In security, if your team does well, it's assumed that there are no problems and your budget can be reduced.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-45046230018572199862012-01-09T14:28:42.563-05:002012-01-09T14:28:42.563-05:00As usual, someone who bashes FISMA, but doesn'...As usual, someone who bashes FISMA, but doesn't come up with any specifics on something that would help secure our Governments computers better... FISMA is far from perfect, but is does work and does give a level of security. If you have something better, then outline it.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-33707427334489146402011-12-13T13:17:48.473-05:002011-12-13T13:17:48.473-05:00As an in-the-trenches guy, all this means is more ...As an in-the-trenches guy, all this means is more tons of paperwork. the changes get lost and then we get yet more questions and more paperwork. Add in PIV cards for computers in locked rooms, encrypted disks for totally uninteresting data and the constantly increasing attacks, all I see is lots of money and email about nothing while attackers have open season. Plus we have the new federal bureaucracy of security contract managers who only can forward email and award contracts. Then there will be an artical in the Post and a committee will ask for yet more paper.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1572804028519911352011-12-01T01:37:57.900-05:002011-12-01T01:37:57.900-05:00This almost seems to follow the route that PCI has...This almost seems to follow the route that PCI has taken. A slow, tortuous path that seems to lead to a reasonable place, but in reality, has no grassy meadow at its end.<br /><br />Plain and simple: continuous monitoring of controls, at any frequency, is not equivalent to knowing, let alone proving, you are operating a secure environment.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-65292603024906690792011-11-29T12:49:18.193-05:002011-11-29T12:49:18.193-05:00I agree with Garrett. I see "continuous cont...I agree with Garrett. I see "continuous control monitoring" as a step in the right direction. Once we know we're properly securing systems, then we can move on to continuous threat and attack monitoring.<br /><br />However, there are two challenges which need to be overcome for continuous monitoring to actually be beneficial:<br /><br />Information Overload - Too much information detail will confuse senior leadership, and possibly result in someone pushing the panic button over a minor issue.<br /><br />Micromanagement - Senior leadership will become so obsessed with "100% compliance" that lower level technical staff will be spending too much time chasing systems which are "just slightly out of compliance", and not enough time will be devoted on a local level actually analyzing intrusion attempts.<br /><br />Until the above two issues are overcome, continuous control monitoring will only hinder, not help.<br /><br />Ken<br />CaffeineSecurity<br />http://caffeinesecurity.blogspot.comKenhttps://www.blogger.com/profile/07051065687414146391noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-84588963451768862762011-11-25T09:37:19.197-05:002011-11-25T09:37:19.197-05:00I see this as a step in the right direction. While...I see this as a step in the right direction. While I am on the same side of the fence with the monitoring issues and ACTUAL PWNAGE problems. The big improvement I see is that this new(ly implemented) system spells out the controls much better and there isn't as much voodoo magic left up for interpretation by the DAA. Is it still a failure? Maybe, but it is a better failure than we had before.Garrett Gallowayhttp://www.garrettgalloway.comnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-48597411019261756352011-11-23T15:28:40.865-05:002011-11-23T15:28:40.865-05:00Len, you win for best intro to a comment in the hi...Len, you win for best intro to a comment in the history of this blog!<br /><br />I look forward to your future posts too.Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-39314533590539069362011-11-23T14:07:51.991-05:002011-11-23T14:07:51.991-05:00For an upstart writer, Richard's analysis of m...For an upstart writer, Richard's analysis of my article is akin to having Stephen Hawking find your masters dissertation on theoretical physics and write a book on it. I appreciate even further the deference given to the article itself versus the points made regarding RMF and FISMA. <br /><br />I do feel compelled however, to dispel the myth that FISMA is the only driver/effort of Information Assurance within the federal government. While popular because of its birth in Congress and position as a gatekeeper to system funding, FISMA is just a defensive coordinator, not the head coach. Other defensive lines (Cyber CND) and special teams (US-CERT) exist in the game, and threat analysis is an underpinning subsystem of the government's playbook. even as it permeates throughout the NIST Risk Management Framework in subtle but important ways that critics might overlook.<br /><br />I have a pingback article in the hopper to detail this and contsructively build upon the conversation. I also intend to bring important feedback from this topic into the DoD and civilian federal communities to achieve the desired effect of process improvement.<br /><br />-=LenLen Marziglianohttps://www.blogger.com/profile/15490697877630627807noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-23295259811825280672011-11-23T09:29:07.971-05:002011-11-23T09:29:07.971-05:00I have a post over at Tripwire's "State o...I have a post over at Tripwire's "State of Security" blog (see http://www.tripwire.com/blog/compliance/state-of-macro-continuous-monitoring-enabling-effective-cybersecurity/) on the topic of continuous monitoring. <br /><br />What you say here is correct, but you're missing the long view. The government knows configuration and patch assessment, so it starts there. The continuous monitoring you're speaking of is what I call "macro" continuous monitoring. The "micro" continuous monitoring - that which entails your actual security monitoring processes - is presently implied, but will explicitly follow - especially as the Event Management Automation Protocol and related security automation efforts (i.e. IODEF/MILE) start coming up to speed.<br /><br />Remember we're talking about the Feds - they......move.......slowly.Adam Montvillehttps://stoicsecurity.comnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-78768351849569290342011-11-22T22:28:35.350-05:002011-11-22T22:28:35.350-05:00I 100% agree FISMA is and has been lacking for som...I 100% agree FISMA is and has been lacking for sometime. And while NIST has extremely smart people, they are too slow to put out relevant security guidelines. However the problem still remains, people need a baseline security posture to be held accountable to. So what do you suggest? It's a given that it would be driven by field assessments. But you still need an initial starting point for your overall IT security program, something akin to the SANS Top 20 critical controls. To me the major problem with FISMA is more on the enforcement side and less on the requirement side. Its a complete waste of trees and the auditors and auditees use very subjective means to achieve compliance.pauljnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-53700998082893575462011-11-22T20:08:44.431-05:002011-11-22T20:08:44.431-05:00Wow, so that's what they mean by "continu...Wow, so that's what they mean by "continuous monitoring?" I guess I took it to mean something akin to security monitoring. This is tragic. <br /><br />There is a place for monitoring controls, but I agree threat monitoring is of critical importance, especially as threats emerge that existing security controls can't protect against.davehullhttps://www.blogger.com/profile/13189230083815485114noreply@blogger.com