The Ashimmy Blog

A new member of the Security Bloggers Network is Alex Bakman, the founder and CTO of Ecora Software.  I first became aware of Alex's blog when he linked to me on Security Consolidation.  Alex has a good article up today about the call to revamp FISMA and specifically on a report from an RSA panel featuring Alan Paller of SANS and Bruce Brody, currently of CACI, but formerly the CISO (I think) of the Veterans Affairs and Energy departments.  For those not familiar with the federal information security market, FISMA is the  Federal Information Security Act.  Under this act, federal agencies are graded each year on their compliance with the act.  We usually read about them in the news, as this agency and that one receives failing or poor grades. 

It is generally agreed that we need to do something to improve the security posture of the federal government.  However, as Alex points out I think Alan Paller is off base when he blames the security vendors and calls for "products security configured by default".  As Alex points out, one size does not fit all when it comes to IT configurations. It is unrealistic to think you can have a default configuration that will be right for everyone. 

My own experience with the federal government leads me to believe that the issue is more around resources and expertise.  I can't tell you the number of times we have run into issues with our federal customers who due to budget considerations do not have the resources to adequately support the software they purchased.  Then when they do have the budget, the skill set does not match. Linux guys trying to do Windows, Windows guys on Unix, network people on the desktop, etc.  I think if they would put better management and budget around implementation and operation of security tools, FISMA scores would go through the roof.  It is not that the government does not have the right tools or good tools, it is that they are not being used correctly.