I had occasion to look at some White House and OMB guidance on implementing a security procedure in an enterprise. Since I don't deal with this very much anymore, it was a little surprising to see what passes for policy these days. It reminded me of the fiasco with security of E-Qip, the personnel security system.
OMB and NIST still think that it is realistic to do risk assessments for even the most trivial of things, developed in an agile environment, and moving along like a rocket leaving the launch pad. Security can't keep up, or ever get ahead of the developers if they are constantly trying to assess things that don't matter tomorrow, when the work is done.
E-Qip is one of the most sensitive systems in the Federal government, housing the applications for security clearances for most employees. It is beyond comprehension that it could be at risk, unless somebody is still trying to complete a risk assessment after development has ended. Given the guidance, that is entirely possible.
OMB and NIST publish guidance, not policy. Guidance means you can do it or not, depending on how you feel about it, or how a manager feels about it above you in the food chain. This is a ludicrous concept that allows government officials to say "I told you so" without any idea of what it was they were telling someone to do. There is nothing firm in what an agency is told to do. It makes for inconsistent implementation, weak links that can be exploited, and no consideration that the threat environment has passed them by.
There was a time when policy was managed by the Intelligence Community for the bulk of National Security systems and by NIST for the civil sector. Nothing has advanced in policy since NIST became the center of it. Hand waving is not going to work when hackers are getting into almost every government system we have. If there ever was a national security system, E-Qip was it. It angers me that we can't make it secure enough to keep this data out of the hands of Russian mobs and Chinese military units. You can't do that with guidance.
No comments:
Post a Comment