OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Randy Taylor (gnu_at_charm.net)
Date: Tue Jan 07 2003 - 17:49:52 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    At 11:00 PM 1/7/2003 +0000, Talisker wrote:
    >Sadly within the public sector installing an IDS isn't merely a question of
    >having sufficient resources to achieve the objective, there are also a
    >plethora of political and accreditation issues to overcome. CC can help to
    >surmount many of the bureaucratic mountains that lie in the way.
    >I don't agree with it, but it's a fact of life, I can't see another way
    >until common sense prevails. Unfortunately public sector and common sense
    >rarely walk hand in hand.

    You've hit the hidden nail pretty close to its head. The U.S Government
    public sector now requires significant Certification and Accreditation (C&A)
    efforts for any new infrastructure being stood up and it is in the process
    of introducing C&A into existing infrastructure. CC product certifications
    are an integral part of the C&A process now, and they're not going away.
    The U.S. Military has been doing C&A on their critical infrastructure for
    as long
    as I can remember. The point is that post 9/11 pretty much -everything- in the
    U.S. .gov and .mil network domains is being identified as critical
    infrastructure.

     From the outside-in view, CC and it's C&A parent are bureaucratic at best
    and Byzantine at worst. In the projects I'm involved with these days,
    I spend as much time on C&A issues as I do on technical issues. I'm
    seeing the process from the inside. It does get mind-bogglingly complex
    sometimes, and everyone I know that's involved relieves the pressure with
    an occasional witty rant or two. My previous humorous comments aside
    though, C&A has identified weakness in infrastructure that would have
    escaped detection otherwise. C&A has this annoying habit of working.

    Sure, the overall process can be improved, and I'm sure it will - but it does
    what it's supposed to do now. From a structural security perspective, C&A
    is essential. I wouldn't be surprised to see the commercial sector adopt
    C&A processes and demand CC certs in the next year or two.

    >just my 2c
    >
    >take care
    >-andy

    8)

    Randy