For those of you who are either working for or supporting the U.S. Federal Government, I wanted to let you know that I’m teaching a seminar/workshop on the FISMA Certification and Accreditation process at the end of this month (30-31 March).  This is an overview of the entire process with a lot of lessons learned.  Anyone can read the NIST documents so what we teach is an approach to the process that will make it relevant in your environment as opposed to some checklist/massive documentation approach.    What it is not is a typical vendor seminar – you won’t get any sales pitch and we don’t push any products.   

We are delighted to have several government speakers at this two day event as well.  Marianne Swanson from the Computer Security Division of NIST will be our keynote speaker on the morning of the first day.  We will also have a panel of government experts to share their experience in making C&A relevant.  They will be Tim Ruland – CISO of the U.S. Census Bureau, Porter Davis – Information Security Officer with the Department of Housing and Urban Development (HUD), and Paul Rickets – Senior Information Security Officer, Nuclear Regulatory Commission (NRC). 

All of this will be taking place as I said on the 30^th and 31^st of March 2009 at the beautiful Willard InterContinental Hotel in Washington DC.  The event is being put on by the Potomac Forum, Ltd. a non-profit educational organization founded in 1982.   The team of individuals who put this on with me has a pretty wide base of experience and we try to instill the lessons we’ve learned over the years in what we teach.  This is very much a team event where everyone contributes material and instruction.  We have been honored to keep getting asked back to teach this seminar.  It’s been over 5 years now. 

Anyway if it is something you’re interested in, you can find out more at the Potomac Forum website. 

Okay so I spent the week in DC and attended the pilot presentation of the NIST’s Risk Management – An Organizational Perspective course and I thought that I’d share my thoughts on it with everyone. 

First off the course is intended to provide an overview of the methodology for managing organizational risk unsurprisingly called the Risk Management Framework (RMF) developed by NIST and aimed at Federal Agencies. 

When I accepted the invitation to go I really didn’t give it much thought and showed up expecting to sit through an overview class that would be presenting some new information.  When I got there I realized that what NIST wanted was feedback on the content and presentation.  Ever one to have an opinion, I was delighted to provide constructive feedback.

The course is based on their Special Publication 800-39 document: Managing Risk from Information Systems: An Organizational Perspective.  The primary audience is of course the federal government but it contains tried and true principles familiar to anyone who manages risk.  What is surprising is that after all these years many organizations focus on what I call “point solutions” and not on organizational risk.  I’ve seen this happen at federal agencies as well as private institutions in more than a few different industries.  So with this in mind it is important to keep repeating the obvious until people begin to take some notice – enter this course.

Apparently NIST is planning on developing both an executive overview of the document as well as a three to five day overview course for government people who will have “hands-on” responsibilities with regard to risk management in the federal government (but no actual experience) – two very different audiences.  The problem with the pilot course is that it tried to cover both audiences at the same time. 

Now I’m not knocking NIST here.  Course development is not as easy a task as it may seem.  There are many different types of learners as well as different levels of detail required depending upon the audience.  I’ve been developing and delivering similar training for over five years now so I know first hand how hard it can be.  When you sit down to prepare the material it can often become difficult to accurately judge the level of detail needed so my hat is off to NIST for opening themselves up to criticism.   

The level of expertise and experience of the people sitting in that room was daunting.  With over 10 years of experience I was probably one of the more junior people there.  Just about everyone else had just over 15 years and came from a variety of different backgrounds.  If you were looking for constructive criticism, I can’t think of a better group to get it from though. 

Now when you typically get that many smart, experienced people in the room there is always someone who wants to promote their own agenda – it didn’t happen this time though.  Everyone listened and gave very good advice and their considered opinions.  It was very collegic and team oriented.   I think that everyone felt that they were contributing to the greater good and was happy to be able to do so. 

We occasionally had a hard time not getting caught in the weeds.  When you’ve been doing this for a while you tend to know which minutiae are important and what isn’t.  The problem becomes squaring that with the level of detail required by the target audience.  NIST’s presentation had that same problem.  At times it was just right for an executive level of detail and at others it dove down into the weeds.  While everyone in the room followed along, I’m not so sure a new person would have.  The group’s comments reflected that opinion too. 

One new thing that I heard (and it’s possible that I haven’t been paying attention as I’ve been focusing on the private sector for a while) is that NIST plans to release what they call Quick Start guides.  These are intended to be the “Cliff Notes” for the special publications.  They showed us one as an example and I thought it was just the right level and length for an executive summary.  It was enough to give you a context and an idea of what you needed to know before you dove deeper into the content of the actual Special Publication. 

All in all it was a pretty good few days.  NIST has a very difficult job.  When most people sit down to develop standards and guidelines they have a specific audience in mind.  That audience tends to be somewhat specific – either a specific industry or a specific organization.  NIST’s audience must span the entire federal government with all the different organizational cultures from all the different agencies.  What they come up with must be applicable in all those different environments.  Give too much information and it isn’t applicable in some environments; give too little and it isn’t applicable in any environment. 

This course will probably go a long way towards rectifying some of the criticism thrown at NIST over the years.  This week was a great opportunity to talk with the authors of the document and learn what they went through in order to create the documents.  Many of the issues we brought up were debated by NIST when the documents were created and we were able to gain the insight of their intent.  I hope in turn NIST will incorporate these insights into their Risk Management course.  That will go a long way to reducing some of the confusion that is out there.  I have every expectation that it will. 

All in all I had a great couple of days.  I met some wonderful and knowledgeable new colleagues, renewed old friendships, and gained a little more insight into this topic that we call Risk Management.

The following is a piece that was originally written for Network World’s Security Newsletter and published in March of 2006.  It was a collaborative effort between Joe Faraone, a close friend, and I.  The issue we touched on really hasn’t gone away so I thought that I’d dust it off and update it a bit. 

Sometimes we hear senior managers and executives expressing frustration with government regulation by saying that the issue has come down to a choice of either being secure or being compliant.  In fact Compliance remains the number one driver of information security as reported in the 10^th Annual Global Information Security Survey conducted by Ernst & Young. 

This is consistent with the article that sparked the original version of this post.  That was an Information Security Magazine article from October 2005 in which security managers were asked to respond to the question, “What is your biggest obstacle to implementing and managing security related government regulations?” Responses reveal that the top two obstacles faced were unclear compliance related responsibilities and interpreting regulatory language. This point of view appears to be more prevalent in the private sector than the public sector.

One of the reasons for this discrepancy is that the public sector must follow a specific framework for measuring the maturity and effectiveness of its information security programs: certification and accreditation (C&A). The Federal Information Security Management Act of 2002 (FISMA) was intended to provide for the development of and maintenance of minimum controls required to protect information systems and to provide for a framework for ensuring the effectiveness of these controls. While many of the overriding principles followed in C&A are contained within the law, nowhere are the words “certification” or “accreditation” found.

FISMA points to the Office of Management and Budget (OMB) as well as the National Institute of Standards and Technology (NIST) to obtain guidance. OMB has issued its Circular A130, which requires that all federal information systems to be certified and accredited following guidelines developed by NIST.

Now the C&A process has gotten a lot of bad press, some of it well deserved but coming from someone who has worked with the process in one form or another for the past ten years I’d say that it comes down to a matter of implementation rather than issues with the process itself.  If the process is viewed as just another paper exercise intended to satisfy auditors then it is a waste of time but it is also missing the forest for the trees. 

NIST has done a laudable job of developing and revising this guidance. It provides a methodology to fully document, measure, assess, track and report on the health of information systems from the aspect of security. These guidelines show how to integrate an information security program with the systems development lifecycle as well as how to test the implemented controls.

Those in the private sector are probably wondering why this should be important to them.  Many argue that the control sets mandated by the process are too much for a private sector environment.  Implementing the full set of baseline controls would be too costly and provide little ROI others say.  Again, my response is that you’re missing the forest for the trees.  The process itself is what is valuable here and is flexible enough to allow any set of requirements to be utilized not just the set of baseline controls provided by NIST. 

NIST publications and the methodology for conducting certification and accreditation are freely available and constitute an untapped publicly available security resource. Inputting the government regulations (Sarbanes Oxley, Health Insurance Portability and Accountability Act, etc.) into this framework allows the private sector to document, measure, assess, track and report upon the security posture of their information systems and how well government regulations are adhered to. The private sector can assess the maturity of their information security programs and determine how well these programs integrate into their overall business processes.

What is key for the private sector is that the process must be tailored to your environment and needs.  Herein lies the problem that has plagued C&A from its beginning – it is often applied improperly. 

When the emphasis is placed on being compliant, people go through the motions and focus on technology and checking boxes rather than leveraging the power of the framework to assess the effectiveness of their programs.

The two most basic elements of any system are often overlooked or underemphasized: the information being protected and the people who use the information. You can put in all the high security devices you want in a system, but if you do not account for the people who need to use the information system and the criticality of the information within the system, you still will not be secure.

If the C&A process is improperly applied then it does result in a lot of wasted time and paperwork. If it is properly applied then it becomes a wonderful tool to assess the effectiveness of your security controls – everything from policy and procedure down to control functionality and configuration.  It provides a holistic view of the network and security with the emphasis on being secure. Compliance is simply a milestone on that journey.

The beauty of this is that the information that you need to implement this framework is _free_ and fully available at the NIST Web site. Do you need to hire high priced consultants to come and set this up for you? No, you don’t. Although consultants can save you some time on the learning curve, the guidance available through NIST will allow you to begin the process on your own. You can then use consultants to give you an independent review of your program or to bolster areas where you might feel less comfortable. But remember that you must tailor this framework to fit your environment – use what works and make sense and discard that which does not.  (Sorry government readers – this doesn’t apply to you.  You don’t have the same latitude to do that as does the private sector.)

The CIO implementing this approach can concentrate on the details of how information is protected and used rather than scurrying about wondering how to bring order to the new herd of cats that legislation has unleashed.

Take the framework that NIST has so diligently given us, plug in the requirements that you are subject to, and then sit down with your network architects, your user representatives and your key project managers and find a way to work efficiently but securely. With the NIST framework, you will be able to assess, measure, track, and deliver a more secure and user friendly network and in the process, achieve compliance.  I have done this with amazing results so I know for a fact that it works. 

Alternatively, keep enjoying your view of the forest.