Quick Reaction to Cybersecurity Act of 2009 Part 1
@ 2009-04-04 17:45:22
Filed under: Politics Code Tech Security
From: Cybersecurity Act of 2009
Sounds like an area only FLOSS software can solve. Hopefully the government will be smart enough to see the value in using the populace to help create something we all can use.
This to me looks like another good reason why the solutions coming out of this work must be FLOSS. If these groups come out with closed source solutions that work on platform Y they are already breaking the above statement. It is very common for small and medium sized companies to be using multiple platforms depending on need (Linux on servers, Windows or OS X on desktops).
The above seems like it could be a bit of an issue. The list is updated very quickly and keeping two lists could lead to diverging streams with different ID's.
This is another interesting statement. Today there are a number of ways to describe what is on a system. Puppet, CFEngine and bcfg2 have ways of describing what should be present but not what is actually present at any point in time. I think this is a really good idea ... and it also shows the need to use software that is packaged (or on Windows, registered with the system) so that the data can be pulled. This will more than likely put a hit on people who deploy Java jar/war/ear, Python egg, Ruby gem, etc.. which currently do not provide good ways to query installs.
Good idea but it was already done by AVDL. Agreed, it is not perfect (it's XML) but nothing is.
Another really good thing to do as long as the protocol evolves along with the industry to some degree. I can see this being hard to keep up with for organizations. Development takes time. Sometimes it takes a long time and by the time the software/hardware is ready the standards may have changed. On the flip side I can see the government having an issue keeping the protocol up to date. If that becomes true then the protocol is simply a barrier to entry and helping in a significant way. Either way I can promise you developers will hate you ... they don't like being told what to do :-D.
Wut?
How?
How?
This could be a disaster. Lots of certifications just turn out to be taxes rather than actually providing or giving back value and could mean that the amount of security professionals that are available to a government network is less than what it could be. Hopefully the government will look at the failure of MCSE, A+ and other simple as dirt certifications that only end up showing you paid someone some money (well ... for technical folks. When non-technical folks get those certificates I actually believe they did a good job). There should also be a track that allows someone to prove their knowledge and receive a certification rather than going through classes and buying books (IE: just the test).
Huh. That actually can mean a number of thin and helping in a significangs (replace DNS? Fix holes in the governments DNS setup? etc..). Hopefully this will be spelled out a bit more.
I'll probably post more when my head is back on.
digg it
seed it
del.icio.us
ma.gnolia
Log in to post comments.
Filed under: Politics Code Tech Security
From: Cybersecurity Act of 2009
18 (1) in consultation with the Office of Manage- 19 ment and Budget, develop a plan within 90 days 20 after the date of enactment of this Act to implement 21 a system to provide dynamic, comprehensive, real- 22 time cybersecurity status and vulnerability informa- 23 tion of all Federal government information systems 24 and networks managed by the Department of Com- 25 merce; and 1 (2) implement the plan within 1 year after the 2 date of enactment of this Act.
Sounds like an area only FLOSS software can solve. Hopefully the government will be smart enough to see the value in using the populace to help create something we all can use.
1 (3) efforts to make new cybersecurity tech- 2 nology, standards, and processes usable by United 3 States-based small- and medium-sized companies;
This to me looks like another good reason why the solutions coming out of this work must be FLOSS. If these groups come out with closed source solutions that work on platform Y they are already breaking the above statement. It is very common for small and medium sized companies to be using multiple platforms depending on need (Linux on servers, Windows or OS X on desktops).
5 (3) SOFTWARE SECURITY.—The Institute shall 6 establish standards for measuring the software secu- 7 rity using a prioritized list of software weaknesses 8 known to lead to exploited and exploitable 9 vulnerabilities. The Institute will also establish a 10 separate set of such standards for measuring secu- 11 rity in embedded software such as that found in in- 12 dustrial control systems.
The above seems like it could be a bit of an issue. The list is updated very quickly and keeping two lists could lead to diverging streams with different ID's.
13 (4) SOFTWARE CONFIGURATION SPECIFICATION 14 LANGUAGE.—The Institute shall, establish standard 15 computer-readable language for completely speci- 16 fying the configuration of software on computer sys- 17 tems widely used in the Federal government, by gov- 18 ernment contractors and grantees, and in private 19 sector owned critical infrastructure information sys- 20 tems and networks.
This is another interesting statement. Today there are a number of ways to describe what is on a system. Puppet, CFEngine and bcfg2 have ways of describing what should be present but not what is actually present at any point in time. I think this is a really good idea ... and it also shows the need to use software that is packaged (or on Windows, registered with the system) so that the data can be pulled. This will more than likely put a hit on people who deploy Java jar/war/ear, Python egg, Ruby gem, etc.. which currently do not provide good ways to query installs.
3 (6) VULNERABILITY LAN-
SPECIFICATION
4 GUAGE.—The Institute shall establish standard com-
5 puter-readable language for specifying vulnerabilities
6 in software to enable software vendors to commu-
7 nicate vulnerability data to software users in real
8 time.
Good idea but it was already done by AVDL. Agreed, it is not perfect (it's XML) but nothing is.
9 (7) NATIONAL COMPLIANCE STANDARDS FOR 10 ALL SOFTWARE.— 11 (A) Protocol.—The Institute shall establish 12 a standard testing and accreditation protocol 13 for software built by or for the Federal govern- 14 ment, its contractors, and grantees, and private 15 sector owned critical infrastructure information 16 systems and networks. to ensure that it— 17 (i) meets the software security stand- 18 ards of paragraph (2); and 19 (ii) does not require or cause any 20 changes to be made in the standard con- 21 figurations described in paragraph (4). 22 (B) COMPLIANCE.—The Institute shall de- 23 velop a process or procedure to verify that— 24 (i) software development organizations 25 comply with the protocol established under 1 subparagraph (A) during the software de- 2 velopment process; and 3 (ii) testing results showing evidence of 4 adequate testing and defect reduction are 5 provided to the Federal government prior 6 to deployment of software.
Another really good thing to do as long as the protocol evolves along with the industry to some degree. I can see this being hard to keep up with for organizations. Development takes time. Sometimes it takes a long time and by the time the software/hardware is ready the standards may have changed. On the flip side I can see the government having an issue keeping the protocol up to date. If that becomes true then the protocol is simply a barrier to entry and helping in a significant way. Either way I can promise you developers will hate you ... they don't like being told what to do :-D.
7 (b) CRITERIA STANDARDS.—Notwithstanding
FOR
8 any other provision of law (including any Executive
9 Order), rule, regulation, or guideline, in establishing
10 standards under this section, the Institute shall disregard
11 the designation of an information system or network as
12 a national security system or on the basis of presence of
13 classified or confidential information, and shall establish
14 standards based on risk profiles.
Wut?
22 (d) COMPLIANCE ENFORCEMENT.—The Director 23 shall— 1 (1) enforce compliance with the standards de- 2 veloped by the Institute under this section by soft- 3 ware manufacturers, distributors, and vendors; and
How?
4 (2) shall require each Federal agency, and each 5 operator of an information system or network des- 6 ignated by the President as a critical infrastructure 7 information system or network, periodically to dem- 8 onstrate compliance with the standards established 9 under this section.
How?
18 SEC. 7. LICENSING AND CERTIFICATION OF CYBERSECU- 19 RITY PROFESSIONALS. 20 (a) IN GENERAL.—Within 1 year after the date of 21 enactment of this Act, the Secretary of Commerce shall 22 develop or coordinate and integrate a national licensing, 23 certification, and periodic recertification program for cy- 24 bersecurity professionals. 1 (b) MANDATORY LICENSING.—Beginning 3 years 2 after the date of enactment of this Act, it shall be unlawful 3 for any individual to engage in business in the United 4 States, or to be employed in the United States, as a pro- 5 vider of cybersecurity services to any Federal agency or 6 an information system or network designated by the Presi- 7 dent, or the President’s designee, as a critical infrastruc- 8 ture information system or network, who is not licensed 9 and certified under the program.
This could be a disaster. Lots of certifications just turn out to be taxes rather than actually providing or giving back value and could mean that the amount of security professionals that are available to a government network is less than what it could be. Hopefully the government will look at the failure of MCSE, A+ and other simple as dirt certifications that only end up showing you paid someone some money (well ... for technical folks. When non-technical folks get those certificates I actually believe they did a good job). There should also be a track that allows someone to prove their knowledge and receive a certification rather than going through classes and buying books (IE: just the test).
3 SEC. 9. SECURE DOMAIN NAME ADDRESSING SYSTEM. 4 (a) IN GENERAL.—Within 3 years after the date of 5 enactment of this Act, the Assistant Secretary of Com- 6 merce for Communications and Information shall develop 7 a strategy to implement a secure domain name addressing 8 system. The Assistant Secretary shall publish notice of the 9 system requirements in the Federal Register together with 10 an implementation schedule for Federal agencies and in- 11 formation systems or networks designated by the Presi- 12 dent, or the President’s designee, as critical infrastructure 13 information systems or networks. 14 (b) COMPLIANCE REQUIRED.—The President shall 15 ensure that each Federal agency and each such system 16 or network implements the secure domain name address- 17 ing system in accordance with the schedule published by 18 the Assistant Secretary.
Huh. That actually can mean a number of thin and helping in a significangs (replace DNS? Fix holes in the governments DNS setup? etc..). Hopefully this will be spelled out a bit more.
I'll probably post more when my head is back on.
digg it
seed it
del.icio.us
ma.gnolia
Log in to post comments.
