This is really a direct continuation of the last post in this series ... the second half of a "to be continued" TV show if you will. I was really going on quite a bit though so I had to break it into two posts. Why did I highlight the relationship between SANS and NIST? Because it demonstrates a few key things that are part of "the current state of FISMA."
First, this whole situation reminds me of a quote I heard some 4 years ago from a colleague who was a FISMA compliance expert, and it demonstrates the chasm between the compliance and operational or technical security disciplines. "The people managing the firewalls and Intrusion Detection Systems (IDSs) think that's security, but it's not. What we do is security." Apologies to my colleague who is actually very good at what he does, but that comment still strikes me as ridiculous these 4 years later. As I discussed in the last post, effectively SANS and a massive number of folks are on the other side saying the opposite- "documentation/compliance/program management/etc is not security, the firewalls and IDS are." That is no less a ridiculous comment.
There is a bigger picture that includes both sides, and places the appropriate weight and resources on both. As a community we all need to avoid being a compliance specialist who views every problem as solvable with a dashboard or scorecard or from being a SOC analyst who thinks every security problem is solvable with a better IDS signature. Everyone in the field needs to try to see the whole picture, and how their specialty fits into it.
Second, the initial battle, and subsequent cooperation with NIST are an interesting demonstration of what happens on a micro-level every week across the government. There are groups within IT, or different security teams within an organization. Each of them feels they have the best approach to fixing a problem. Whether it's prioritizing systems for IG audits, creating an update to policy documents, or implementing a FISMA reporting tool there are groups within an organization right now battling over which is the most important. Often, the argument on both side devolves into "this is the priority, and if you can't see that you're stupid!" And often, as Alan said about the supporting folks at NIST, these priorities are based on bad advice from people who either
- have a vested interest in one side or the other; or
- just don't see both fitting into the overall security picture.
On some level, the security profession requires us to all put that aside for the common good. Now I'm about to sound like I want everyone to sit around and sing Kumbaya together so I'll stop before I quite reach that point. Hopefully though, these last 2 posts have maybe shed some light on this divide within security, and highlighted the fact that it can either cause us to spin our wheels and tear the field apart sending each group off into different directions, or we can try to work past it to get some dialogue going which will advance the field in the long term.