Richard Bejtlich sets out to write a book review, and instead writes a screed about FISMA in his latest blog entry. Its a shame too. I would like to know if this book is a good resource for those who are forced to participate in FISMA. We are currently under an Interim Authority to Operate and the auditor is coming in next month to extend that. People where I work create C&A packages and audit them for customers.
When we looked for an outside auditor for our C&A package we had a hard time. Most of the companies we were considering were strong in the technical writing or strong in technical knowledge. We didn’t find a company that was strong in both areas. Both skills are necessary.
Anyone who has been involved with a C&A knows its one big paperchase. Does this mean its a bad thing? I would argue no. Documentation is important. FISMA forced us to update our documentation and create new documents. This is necessary. Due to the tyranny of the urgent that occurs in an I.T. shop this wouldn’t have been done otherwise.
All of the commenters on Richard’s entry disparage the C&A. They say that it offers no improvement in security. They argue that instead its a jobs program for C&A writers. Based on my own experience, I would say you get out of a C&A what you put into it. If it is an antagonistic relationship between the auditors and the System Administrators, then you have a problem. The problem is exacerbated when management just wants to check off C&A boxes rather than actually examining security and making things better. At my company we are better than some but we have a long way to go. The C&A has helped us get there.