SecPgh's video: Transforming Government Compliance - Fen Labalme

FEN LABALME The goal of compliance frameworks like HIPPA, SOX and FISMA is to ensure that basic security controls are met. The Federal government and an increasing number of state and local governments look to the Risk Management Framework (RMF) as defined by NIST SP 800-53r4 as the baseline for compliance management. Unfortunately, the RMF is rooted in static, waterfall methods and it’s clear that compliance does not equal security. While the RMFv2 (described in NIST SP 800-37v2) talks of continuous monitoring and ongoing authorization, the culture and proprietary tool sets provide significant friction to slow down any agile efforts. This talk will briefly overview the current state of the art as practiced by federal authorizing officials (AOs) and some of the issues faced, many of which are cultural. A small but growing community is looking at ways to automate the system security plans (SSP) creation and build security management into the CI/CD (DevSecOps) pipeline. And due to the cultural status quo, significant effort goes into creating properly formatted MS Word docs from the updated git and S3 artifact repositories. Finally, we’ll touch on how free/libre data formats and protocols are necessary to support viable continuous monitoring as application boundaries vary wildly and threat landscapes change too rapidly to rely on black-box proprietary agents to fully monitor. Fen Labalme, CISSP, has been involved with data security and personal privacy for decades, starting with his 1981 M.I.T. thesis of an electronic newspaper that foresaw problems with personalization if privacy was ignored (NewsPeek). Today, Fen is the Chief Information Security Officer for CivicActions and is working to bring agile, free and open source security to government agencies fettered with antiquated, static cybersecurity compliance requirements. Fen’s goal for this year is to enable general purpose “Authority to Operate” (ATO) authorizations in two weeks where currently this process takes agencies from nine months to three years.