© Critical Informatics Inc., All Right Reserved 2016

Threat Intelligence Blog

The   Been   There,   Bled   There    Blog   that   covers,   well,   just   about   anything   that   we   feel   you   can gain   critical   insight   from.      We   wear   our   battle   scars   with   pride   and   are   grizzled   enough   to occasionally yell, “Get off of my Lawn!” As they say, “You Can’t Make This Stuff Up!”
(206) 687-9100
Threat Intelligence Blog CRITICAL INFORMATICS INC.
This   is   a   response   to   a   question   I   was   asked   by   a   State   CIO   (not   our   state),   regarding   legislation   that   addresses   security in procurement. Now sharing with you. I   have   been   very   interested   in   strategies   to   turn   security   into   a   "market   force"   through   the   creation   of   competitive differentiators,   and   using   the   purchasing   power   of   the   government.   I   feel   this   is   a   non-regulatory   way   to   address   the problem   -   leverage   the   fact   that   we're   capitalists.   This   was   a   message   delivered   to,   and   very   well-received   by   the Deputy Secretary of DHS in a recent meeting. I'm   not   aware   of   legislation   that   has   created   an   actual   requirement   for   demonstrable   security   in   a   product   or   service   - with the exception of the Fedramp program for cloud products. See below. First, the opinion. Effective   legislation   would,   in   my   opinion,   create   an   expectation   that   it   is   the   responsibility   of   the   state   to   purchase products   and   services   that   are   differentiated   by   their   attention   to   security.   This   would   have   to   be   based   on   standards   - but   don't   create   the   standards.   Make   the   products   attest   that   they   adhere   to   existing   industry   standards   (for   example OWASP   for   web   application   security),   and   ideally   that   they   have   been   validated   by   a   third   party   as   meeting   the standard.   Don't   make   it   a   mandate   that   they   hire   a   third   party   to   test   the   product,   just   score   them   higher   on   the   RFP response   if   they   have!   Change   is   thus   forced   in   a   non-regulatory   way,   just   by   using   the   power   of   the   purse.   Companies start to advertise the fact that their products are demonstrably secure, and capitalism starts to do its thing. Now the experience. I   see   the   procurement   security   issue   (or   supply-chain   security)   done   more   through   innovation   then   legislation,   and   by industry   groups   more   than   government.   Example   is   the   recent   Boeing/DHS   conference   on   that   topic   a   few   weeks   ago in   Mukilteo,   WA   -   sharing   ideas   rather   than   waiting   for   a   standard   to   be   imposed   by   regulators.   Also,   most   of   the   effort seems around newer technology purchases like cloud products (SAAS and IAAS - PAAS I think a notable exception). The   PCI   standard   mandates   that   web   applications   meet   security   requirements   on   a   quarterly   basis   (testing   performed by   an   approved   vendor),   and   that   you   can   only   engage   a   payment   processor   that   have   been   certified   for   security. That's   an   industry   control,   and   is   a   reasonably   effective   way   to   achieve   an   outcome   -   the   companies   MAKING   the money are to provide security, not the organizations SPENDING the money. At   the   City   of   Seattle   we   modified   procurement   and   contract   language   to   create   an   expectation   of   security,   and   used that   as   proposal   scoring   criteria.   The   minimum   qualifications   to   bid   included   third-party   attestation   OR   allowing   the City   to   perform   testing   for   security   against   the   OWASP   standard   (for   SAAS   applications).   Evaluation   of   the   product   or service   included   specific   scoring   on   security   in   policy,   vulnerability   management,   et   al.   and   the   RFP   template   was connected   to   a   spreadsheet   of   security   questions   on   COTS,   SAAS,   Proserv,   etc,   so   that   the   relevant   queries   on security   were   integrated   into   the   posted   RFP   for   the   product   or   service   being   sought.   Contract   language   included   the expectation   for   security   management   of   the   product,   and   submission   of   additional   testing   attestation   if   the   product underwent structural or functional changes. The   Fedramp   program   for   cloud   providers   was   created   through   legislation   (HR   1163   in   2013).   Fedramp   is   a   standards compliance   certification   program   for   cloud   products,   with   third-party   assessment   required.   Federal   agencies   cannot procure these products from non-certified vendors. I am aware of nothing similar at the state level. Part   of   the   NIST   framework   talks   about   third   party   security,   but   not   in   great   detail   for   the   lowest   tier   of   "compliance". The   NIST   framework   was   created   through   executive   order   (EO   13636   in   2013),   so   is   an   example   of   a   non-legislative solution. In   my   view,   when   we   can   collectively   implement   a   market-based   strategy   to   require   security   in   the   products   we   buy, we    will    turn    a    significant    corner.    Changing    our    thinking    about    how    we    secure    our    information    technology    and implementing   the   change   through   organizational   innovation   has   to   happen   now.   Waiting   for   legislation   -   especially federal legislation - is Quixotic.  
We Can Turn Security into a Market Force   10/25/2014 By Michael Hamilton CISSP CEO
(206) 687-9100
© Critical Informatics Inc. 2016 All Rights Reserved

News

Critical Informatics IT Security

Daily News Blast

Sign   up   for   a   truly   essential   Daily   Briefing   on   all the      Industry,      National      and      International Cybersecurity   and   Information   Security   events you need to know and be able to act on today!

Search the Blast Archive

Search by Date, Range, or Keyword September 2015 August 2015 June 2015 May 2015 April 2015 March 2015 February 2015 December 2014 October 2014 September 2014 August 2014 July 2014 May 2014 April 2014 February 2014 December 2013 November 2013 August 2013 July 2013 June 2013

Threat

Intelligence Blog

The   Been   There,   Bled   There    Blog   that   covers, well,   just   about   anything   that   we   feel   you   can gain   critical   insight   from.      We   wear   our   battle scars    with    pride    and    are    grizzled    enough    to occasionally yell, “Get off of my Lawn!” As they say, “You Can’t Make This Stuff Up!”
(206) 687-9100