> AppDefects (Contributor III) edited a topic in Industry News on 08-26-2019 03:03

> Department of Homeland Security
> Department of Justice

OK, now *this* is hilarious ...

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
In the middle of difficulty lies opportunity. - Albert Einstein
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

---

@AppDefects wrote:

Approximately 40 agencies (partial list below) received a failing grade by the Office of the Inspector General (OIG) in its independent assessment of information security practices. Read the entire report to US Congress here. I expect that a lot of Agency CIO's and CISO's will be looking for "gainful employment" after congressional representatives rip through the report and ask WHY are agencies failing to deliver on information security effectiveness?

...

---

As one of many who have had to deal with U.S. government Certification & Accreditation (C&A, Old Risk Management Framework, RMF) / Assessment and Authorization (A&A, new RMF) under FISMA, and the resultant compliance reporting (the basis for the linked report), here are aspects worth knowing:

 

1. FISMA compliance is not about making systems more secure, it is about showing compliance with a particular type of audit, specifically including whether each IT system is operating under a current Authorization to Operate (ATO). Getting an ATO is a PITA of paperwork, and says little about the actual security of the system. Holders of the CISSP-ISSEP and CAP should understand this distinction of paperwork versus security. 
2. Agencies' grades are based on the percentage of identified systems that show a high level of compliance. Thus, very small agencies with only a few IT systems tend to score high, and humongous agencies with almost uncountable IT systems, such as Homeland Security and Defense, end up with lower scores.