Compliance: It’s Still (an even bigger) Thing

February 28, 2019

You have heard it enough to make you aim a fire extinguisher at your firewall:  “compliance does not mean security”. Compliance work can consume up to 70% of security budgets in Federal government agencies, and it is common to spend more money identifying, documenting, and gaining approval for a remediation than the remediation itself costs.

I once documented the time I spent on these processes to enforce a simple password change on an administrator password. Discovering the flaw took an hour-long interview, during which I suspected the administrator was trying to be elusive, but eventually revealed that the password in question had not been changed in years, and was also the default password, easily found through a Google search. I then had to convince others in the security program that this was a serious weakness – about three hours of meetings – and then document and present the expected effect of the change on operations, along with a back-out plan; these documents took a couple of hours to create. We also recorded the weakness in a Plan of Action and Milestones (POA&M), with a cost estimate and schedule. The paperwork and interview required to show the weakness was out of compliance, and the paperwork required by policies and regulations, consumed about 8 hours of my time, not to mention several hours of other peoples’ time. The time required to carry out the operation was less than five minutes. (Remember: this was for a simple password change).

One could argue that this would not have happened if the administrator had complied with policy – change default passwords – in the first place. However, this story does show how compliance consumes a disproportionate amount of time and effort, which should go to more important security measures: threat hunting, training, incident response, and other germane security work.

In the Federal government, most compliance efforts revolve around the NIST Risk Management Framework (RMF), which forms the basis for the DoD Information Assurance Risk Management Framework (DIARMF). I have written extensively about the RMF, but agencies must also work with numerous other requirements, at the legal, policy, or regulatory levels. In 2014, the Obama administration promulgated the Cybersecurity Framework (CSF), which framed security programs in simple, CEO-friendly terms:  Identity, Protect, Detect, Respond, and Recover.  The CSF had its own control set, a more straightforward version of the venerable SP800-53 compendium driving Federal compliance efforts. The CSF went over well:  it provided a structured approach to cybersecurity but was not excessively bureaucratic.

In 2017, the Trump administration issued Executive Order 13800, “Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure”. Among its numerous and sweeping requirements, EO 13800 mandated adoption of the CSF.  The straightforward nature of the CSF is great, but do agencies now have to document compliance with an additional set of controls? How much money and time have agencies expended on CSF compliance – or are they even working to comply?  Most importantly, could they use the resources allocated to CSF compliance more effectively in other ways, such those described above?

Compliance is a valuable aspect of Federal cybersecurity programs, but it is too much of a good thing. Instead of 70% of budgets, it should occupy 10-15% of those funds. I often hear that security programs are under-funded: they lack the money to implement effective security. There’s truth to that, but it may also be true that agencies have enough money, but are required to allocate it ineffectively.