“Security control assessments and privacy control assessments are not about checklists, simple pass-fail results, or generating paperwork to pass inspections or audits—rather, such assessments are the principal vehicle used to verify that implemented security controls and privacy controls are meeting their stated goals and objectives.”
This is the first paragraph of the prologue of the National Institute of Standards and Technology’s Special Publication 800-53A (Revision 4).
And it’s become a farce.
The Federal Information Security Management Act (FISMA) mandates that all government agencies be accountable for the adequacy of their cyber security controls. And that “accountability” comes in the form of system assessments and authorizations performed by independent third parties, like Lunarline. This independent third party is responsible for vetting IT systems and ensuring they adhere to NIST’s Risk Management Framework (RMF).
However, these days boxes are the only things most contractors are checking.
Why are they checking boxes, not controls?
When I started out in this industry in 2008, a system security assessment and authorization actually meant something. It was a rigorous, technical assessment that got to the bottom of security issues and meaningfully improved system security.
But they were also expensive. An assessment of a system with any sort of complexity cost well into the six figures. This price tag was merited because it required a good deal of time and resources to get down in the “weeds” and check 600+ security controls and enhancements.
Yet in the past seven years, the pricing has plummeted, and it’s not because we’re more efficient. If anything the workload has grown with the introduction of new standards. NIST 800-53A, revision 4 was a major one that significantly increased the complexity of assessments. So logically, the cost of an assessment should’ve gone up. Right?
Wrong. Today, the cost of a system assessment hovers between $20,000 and $30,0000.
How is that possible?
Contractors aren’t assessing systems anymore. They’re bidding low to win work, going through the motions and rubber-stamping the paperwork…with the agency’s consent.
Because, come on, who wants to deal with a tough audit?
This practice isn’t just a waste of money; it’s leaving government agencies vulnerable to cyber attacks.
The threat landscape has become more dangerous and complicated. But in the absence of strong FISMA enforcement, there’s been a race to the bottom. We know of agencies with critical systems that have gone years without conducting legally required system assessments…with absolutely no repercussions. Scary, isn’t it?
What’s the solution?
Well, we certainly can’t return to the days of six-figure assessments. In this age of federal austerity, we just don’t have the budget.
But independent assessors also can’t be expected to work for minimum wage and still conduct meaningful security assessments. To make the assessment process comprehensive and cost-effective, we need to hone in on the controls that make the biggest difference in an agency’s security posture.
Lunarliners are big fans of the SANS Institute’s Critical Controls. This control set is streamlined and focused on controls that make a meaningful difference in system security posture. We believe that SANS offers a great model for rethinking the NIST controls and coming up with a sustainable, cost-effective assessment model.
Next, agencies need to be held accountable for FISMA compliance, especially C-level officials. Senior agency leaders were once wary of signing off on FISMA assessments and “authorizing” systems for operation. They feared repercussions should the systems they authorized ultimately prove vulnerable to attack. But once they realized the law had no teeth, they stopped caring. There have to be severe repercussions for agencies — and their leaders — that fail to meet compliance standards.
The same goes for contractors. We need to ensure compliance by actually performing technical assessments – not just walking agencies through a list of questions. And just as we need to hold agencies and leadership accountable for security, we need to hold ourselves accountable for conducting meaningful, complete assessments.
Want an example of the compliance process done right? Take a look at FedRAMP. There’s a reason simple FedRAMP assessments are significantly more expensive than traditional FISMA assessments, despite drawing from the same standards. It’s because the FedRAMP Joint Authorization Board (JAB) makes sure it’s done … correctly. The FedRAMP JAB doesn’t tolerate a checklist approach to information security. And neither should we.