Bill Puts Contractors Out of Work?

For the past couple months I've written about <a href="http://cybersecurityreport.nextgov.com/2010/04/white_house_heroes.php">continuous monitoring</a>, its <a href="http://www.nextgov.com/nextgov/ng_20100421_5175.php">importance</a> and the <a href="http://cybersecurityreport.nextgov.com/2010/04/state_dept_success_revealed.php">steps</a> that must be taken to change the security culture in Washington. Today we are a lot closer to breaking down barriers and implementing near-real-time situational awareness. But there are still things slowing down the transition aside from the Federal Information Security Management Act (FISMA). Sometimes the best way to find out about those barriers is to sift through the written testimonies submitted to Congress.

For the past couple months I've written about continuous monitoring, its importance and the steps that must be taken to change the security culture in Washington. Today we are a lot closer to breaking down barriers and implementing near-real-time situational awareness. But there are still things slowing down the transition aside from the Federal Information Security Management Act (FISMA). Sometimes the best way to find out about those barriers is to sift through the written testimonies submitted to Congress.

My colleague Alan Paller recently was a panel member speaking on behalf of the 2010 Protecting Cyberspace as a National Asset Act, the Senate cybersecurity bill sponsored by Sen. Joe Lieberman, I-Conn. Turns out Paller's testimony is full of tidbits that help paint a picture of the bureaucracy and pushback to change.

According to Paller's testimony, the contractors that charge federal agencies hundreds of millions of dollars for writing those out-of-date compliance reports are fighting to stop the legislation. Logically, this would make sense if the bill put them out of business. But Paller seems to think it's wasted energy. He writes: "They and their firms can continue to be employed to enable and manage the new way of doing business."

He doesn't elaborate, and this is a question worth more exploration, but I've never been a proponent of the "all jobs are sacred because they are jobs" mantra. If a company is doing a disservice with their work, they ought be stopped and told to get a new job. That goes for all those offshore drillers, too.

The other element at play in this backstory, according to the testimony, is federal officials who "appear to be uncomfortable with change or afraid of taking responsibility for active risk reduction." He doesn't name names, but he goes on to tell a story about a meeting with 150 federal security contractors and information security officers. Hord Tipton, the host and president of security education firm (ICS)2, asked them all if they were doing continuous monitoring. Roughly 130 raised their hands. Problem is, the kind of continuous monitoring they were attesting to is not continuous monitoring at all.

"The people who raised their hands are calling manual data entry of quarterly or annual or tri-annual reports 'continuous monitoring,'" writes Paller. "This is how the consulting firms can continue to get paid hundreds of thousands of dollars for reporting out-of-date information; they'll enter it into a computer system rather than print it and put it in a 3-ring binders."

Adam Ross is managing editor at the SANS Institute and wrote, edited, and Web produced for The Washington Post's opinions and politics sections, online and in print. You can reach him at aross@nextgov.com.