FEDRAMP FISMA HIGH and Actual Security Controls, Really?

By Rob Carey, CSC Cybersecurity

I was asked to read and review the newly published FEDRAMP FISMA HIGH Cloud security controls and spent a few hours poring over the vast Excel spreadsheet on which they are captured. I must admit that an 828-line spreadsheet was a bit daunting at first and, while there is a lot of really good guidance included, I’m not sure that I wasn’t lost in the enormity of the task a CISO/DAA would have trying to implement these controls.

In fact, so many controls are included that it’s hard to sort out which present a meaningful outcome to advanced cybersecurity and which don’t. Accordingly, the controls are also variable in that that each individual organization has many ways to implement them (and attest to inspectors that they’ve met necessary controls). There is virtually no way to evaluate the result consistently.

If a dutiful security team implements all controls, are they then secure? What is the effect on confidentiality/integrity/availability of the information/system? What is the relationship between the heavily funded U.S. Government information security apparatus and a commercial cloud offering? Or has the team simply taken sufficient actions to afford a positive review by their review/inspection authority, most likely the Office of Inspector General.

The risk management calculations afforded by this spreadsheet require a supercomputer, and the effects of spending precious resources on elements of the spreadsheet can’t be calculated. shutterstock_122946274In fact, so much of these controls’ implementations — from 800-53R4 — are interpretable (via process, technology or other means), that I’m not sure what really is achieved by meeting FISMA HIGH compared to FISMA MODERATE.

How does complying with these controls relate to actual security levels? I think it would be more valuable to simplify and articulate mandatory controls and processes. There are consensus audit guidelines available from the SANS Institute that consolidate/simplify the controls and objectives into 20 bins. The challenge in both places is that is there is not precedence/efficacy to any of the controls, and that precedence is not attached to a data classification schema…

As written, this guidance may have been forged out of a very precious metal: unaffordium. There is no way to evaluate what “effect” the enhanced controls will actually have other than making an agency feel good that they are implementing a different checklist approach to security and spending more $$$.

I offer that we should implement pen-testing standards as a part of working through 3PAO accreditation. There is a difference between “risk management” and actual information security. Just as there is a difference between “compliance” and actual information security. It would be helpful if the FEDRAMP folks could work with NIST to determine the actual effects of implementing simple, firm controls, such as mandatory two-factor authentication for users, enhanced two-factor authentication for privileged users and biometrics.

At the end of the day, what NIST and the OMB need to determine is how much $$$ should be spent protecting CUI/FOUO-level data. Chasing the 800-53R4 without a measurable result only keeps the compliance community in business and doesn’t actually raise security.

________________________________________________________________________

Screen Shot 2015-03-23 at 4.46.10 PM Robert Carey, CSC Global Cybersecurity Public Sector vice president, is responsible for delivering and managing cybersecurity offerings and managed services to the public sector. Before joining CSC, Carey spent 31 years in the public sector, most recently as U.S. Department of Defense Principal Deputy Chief Information Officer.

Comments

  1. Sapphire Eagle says:

    I have struggled with Hitrust for the same reason(s); fantastic post, insightful and illuminating it illustrates the dichotomy of repeatedly overworking (poorly classified) onerous, resource-stricken, driven from the baseline by rarely inept just overworked or un-empowered managers with no visibility or true investment from the top of the food chain of highly paid executives. Usually a ✅tick box. Thankyou for a compelling post!

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: