FISMA, CAG, and the Department of Redundancy Department

There's a plaintive subhead in the draft of the Consensus Audit Guidelines (CAG) that sums up how the writers of the document must feel about their work to improve governmental IT security. It's right there on page 3: "Why this project is so important: Gaining agreement among CISOs, CIOs and IGs." See? pleads the subtext See, information security offices and information officers and federal inspectors general? You can't possibly ignore this very important information if we address you by your title... can you?

Oh, but they can. This is, after all, information security, where people regularly spend more energy circumventing a system than following it. The guidelines are a mighty attempt to ease government and private-sector organizations into embracing good security controls. It remains to be seen if this time will finally prove the charm.

The CAG, entitled "Twenty Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance" (PDF available here), is an elegant attempt to set forth a baseline of information security measures and controls for bringing government agencies and the contractors that love them into compliance with the Federal Information Security Management Act (FISMA).

FISMA's a moving target, to be sure. On Wednesday, the Office of Management and Budget announced that they mean to rethink how agencies report their FISMA compliance, even as the annual reports gathered from those agencies' CIOs show increased compliance with FISMA's requirements in 2008. But the testing of security controls has declined in the past year, the report says, from 95% to 93%. The need has not, and so the utility of a "Most Important Controls" guide becomes clear.

Everybody loves numbered lists, and the CAG lays one out, even pointing out which 15 of the 20 controls can be measured and validated with automated tools. For further ease of use, the writers flag "quick wins" (ways in which a given control can be quickly or cheaply or easily implemented) and "advanced" options. Nearly ever control is described in terms of how an attacker could exploit it, how it can be implemented and measured, and (when applicable) what procedures might be used to do so. You've seen this high level of structure before; check the nearest "For Dummies" book.

And maybe that's what it takes for an uptick in uptake, because a perusal of the 20 top-priority controls in CAG reveal that truly there is very little new under the sun. We won't spoil the ending for you, but hardware and software inventories, audit logs, anti-malware defenses, data leakage protection -- these are, as the man says, songs you know by heart. Or should.

Digging in, it's good general stuff, based on real-world experience and excellent for explaining to the stubborn and / or ignorant how each of the twenty highlighted controls can thwart evildoers and keep things generally on track. And, as the introduction points out, "The principles and measures addressed in this document are also highly applicable to commercial and academic enterprises and should be usable within the commercial marketplace." (Translation: Wait! Don't go yet! If you go, we'll follow you! Give us a chance!)

And if it all still sounds just too daunting -- if a nice summary with a handy list and a deliberately clear structure still can't get some people to read and digest infosec information, for the love of FISMA -- concerned parties may need a visit from CAG's bigger, more intimidating brother: Special Publication 800-53, "Recommended Security Controls for Federal Information Systems and Organizations" (PDF available here).

That's the National Institute of Standards and Technology's comprehensive set of security controls, also entering the late stages of draft mode. 800-53 provides, as it says, "a stable, yet flexible catalog of security controls for information systems and organizations," and it's a beast -- 209 pages and counting. (CAG, in contrast, weighs in at a svelte 40 pages.) 800-53 is one of the guidance documents that supports FISMA while not being part of the suite of documents that legislatively speaking composes it.

CAG and 800-53 cover quite a bit of the same territory, and it's possible that after their respective public-review periods close on (respectively) March 25 and March 27, they'll be brought into even closer alignment. The last two pages of CAG are an appendix mapping the twenty CAG controls to relevant passages in 800-53 -- nice reference-desk stuff that can be printed out and hung on the wall next to the desk. Maybe that's the ultimate answer: The chart is the security-control charm, and CAG's good work on prioritizing and explaining controls will for each reader eventually boil down to the quickest path into the thick of full-scale documentation.