RE: Suing for SecurityJul 06 2006 12:16AM Smith, Michael J. (Michael J Smith unisys com) (1 replies)
However, a failing FISMA report was used in the Cobell case as evidence
(amongst other things) that Interior did not have "adequate" security.
That's the interesting part to me.
Cheers
--Mike
Michael J Smith, CISSP-ISSEP michael.j.smith (at) unisys (dot) com [email concealed]
Information Security Architect
703.579.2552 O
703.855.0890 C
"Those who do not understand Unix are condemned to reinvent it, poorly."
--Henry Spencer
> -----Original Message-----
> From: ljknews [mailto:ljknews (at) mac (dot) com [email concealed]]
> Sent: Wednesday, July 05, 2006 7:06 PM
> To: psrc (at) securityfocus (dot) com [email concealed]
> Subject: Re: Suing for Security
>
> At 5:24 PM -0400 7/5/06, Earl Crane wrote:
> > Larry,
> >
> > I'd like to include a clarification to your statement. You
> are correct
> > that NIST 800-53 provides the controls, and FIPS 200 states
> that all
> > federal systems must follow those controls by March 2007.
> >
> > However, this does not mean that federal systems are not currently
> > complying with NIST 800-53. In fact, far from it, which is
> why we hear
> > so much about the FISMA scorecard.
>
> But the FY 2005 "FISMA scorecard" was based on:
>
> Whether federal systems have been inventoried
> Whether federal systems have been assigned an impact level
> Whether federal systems have been tested against 800-53
>
> The FY 2005 "FISMA scorecard" was _not_ based on whether the
> systems _passed_ the test against 800-53.
>
> http://www.whitehouse.gov/omb/memoranda/fy2005/m05-15.html
>
> The rules for agency reports toward the FY 2006 "FISMA
> scorecard" have not yet been released by OMB, and compared to
> last year's schedule, they are overdue.
> --
> Larry Kilgallen
>
(amongst other things) that Interior did not have "adequate" security.
That's the interesting part to me.
Cheers
--Mike
Michael J Smith, CISSP-ISSEP michael.j.smith (at) unisys (dot) com [email concealed]
Information Security Architect
703.579.2552 O
703.855.0890 C
"Those who do not understand Unix are condemned to reinvent it, poorly."
--Henry Spencer
> -----Original Message-----
> From: ljknews [mailto:ljknews (at) mac (dot) com [email concealed]]
> Sent: Wednesday, July 05, 2006 7:06 PM
> To: psrc (at) securityfocus (dot) com [email concealed]
> Subject: Re: Suing for Security
>
> At 5:24 PM -0400 7/5/06, Earl Crane wrote:
> > Larry,
> >
> > I'd like to include a clarification to your statement. You
> are correct
> > that NIST 800-53 provides the controls, and FIPS 200 states
> that all
> > federal systems must follow those controls by March 2007.
> >
> > However, this does not mean that federal systems are not currently
> > complying with NIST 800-53. In fact, far from it, which is
> why we hear
> > so much about the FISMA scorecard.
>
> But the FY 2005 "FISMA scorecard" was based on:
>
> Whether federal systems have been inventoried
> Whether federal systems have been assigned an impact level
> Whether federal systems have been tested against 800-53
>
> The FY 2005 "FISMA scorecard" was _not_ based on whether the
> systems _passed_ the test against 800-53.
>
> http://www.whitehouse.gov/omb/memoranda/fy2005/m05-15.html
>
> The rules for agency reports toward the FY 2006 "FISMA
> scorecard" have not yet been released by OMB, and compared to
> last year's schedule, they are overdue.
> --
> Larry Kilgallen
>
[ reply ]