RE: Government Compliance

["Smith, Michael J." <Michael.J.Smith () unisys com>]

> -----Original Message-----
> From: Dave [mailto:dave.anon () gmail com]
> Sent: Wednesday, June 15, 2005 10:51 AM
> To: pen-test () securityfocus com
> Subject: Government Compliance
>
> Hello everyone. I know some will view this as a rant and other as
> informative, but I am making this post as a sanity check.
As far as government compliance works, it's at the discretion of the
DAA/AO.  Part of your effort should be a Security Test and Evaluation
plan, which will state your approach.  If the DAA/AO buys off on such a
weak ST&E plan that you mention, then it's their problem when the
General Accounting Office or Office of Management and Budget comes
around for an audit and finds that they did not exercise due diligence.
It's also your responsibility to stand up and say that their ST&E plan
is not sufficient.

Here's what I would recommend:
Offer up your own ST&E plan with what you really want to do and what
your goals are.  If you have to, take it directly to the system owner
and the DAA/AO.

THE guidance you have is SP 800-42 which is available at:
http://csrc.nist.gov/publications/nistpubs/800-42/NIST-SP800-42.pdf

All the other stuff, like FISMA, just says that you will do testing.
The NIST pubs actually detail the execution.  SP800-42 even lists
typical tools to use, things like dsniff and L0phtcrack.  Section 3.10
is the "official" description of what activities you should be doing
during a pen test.

I know it's tough to stay when you are surrounded by people like this,
but we need more security guys with a conscience working in the
government.

Michael J Smith michael.j.smith () unisys com
Information Security Specialist
703.419.3109 W
703.855.0890 C