Just change the grading system

The Department of the Interior wants a new grading system. The Government as a whole got a D+ on their report card, so rather than improve they blame the grading policy and dismiss it as being check-box oriented.

Certainly, FISMA is a big paper chase, but at the end of the day security is improved and risks are accepted or mitigated if people take it seriously. The problem comes in when System Administrators bunker down to protect their turf and management goes to Tom Davis to get FISMA changed rather than focusing on improving the security program.

Agency CIO Tipton noted that his agency did not score well on the most recent report card but said Interior’s cybersecurity has never been stronger…”We look at FISMA and I noted that we fended off four billion probes, scans, attacks last year without any significant breaches.”

You fended of four billion probes. That sounds awfully impressive to the casual listener. It sounds like a number a CIO would use if he were trying to prove that all that money spent on security is actually worth it. Does that number prove defense in depth or does it prove you have a firewall?

Of course its not hard for the Department of the Interior’s cybersecurity to have never been stronger. Look at 2004 when a Judge forced them off the Internet for 4 months due to their Information Security bungling.