Black Hat just came to a close. RSA was obviously there, and we had our booth set up in the theme of “Cyberpunk”, which triggered the idea for today’s post.
Cyberpunk is a genre of science fiction writing that focuses heavily on high technology and hacking. When I saw this was the theme for RSA’s booth I thought of William Gibson for the first time in years. Arguably the most famous writer of the cyberpunk genre, William Gibson coined the term “cyberspace” and defined it as a “mass consensual hallucination”. When I read this line as a teen, it struck me as not just a pretty piece of prose, but it was also valid and insightful. Gibson was saying that cyberspace is what we, as the users and participants, agree that it is. Similarly, we as the users and participants of the IA community shape it by mass agreement and consent. Why mention it in my federal security and compliance blog?
Well, it is a strange, exciting, and nerve-wracking time in federal IA! If you are a federal IA professional or a support contractor working in the federal space, how do you do strategic planning in the current IA climate? The Cybersecurity Act inches closer to law while caught in the middle of a political battle. When will it get signed into law? What sort of “bonus” regulations might get tacked on before it gets signed? Once signed into law, it will drive updates to FISMA. This will have impacts that are impossible to quantify right now. Large-dollar bid requests (RFIs and RFPs) are starting to roll out for Continuous Monitoring and FedRAMP solutions. These will change the faces of IA, C&A/A&A, and FISMA reporting as we know them. The clock keeps ticking toward the death of DIACAP, but with no real move-in-earnest toward DIARMF in sight.
In two years’ time, the federal IA landscape may be something we would not recognize today. There is a tangible feeling that we are moving into a new chapter in this industry. It is a time in which companies and careers may boom or bust. This is why I raised the point of the mass agreement and consent. Acts of Congress are certainly prescriptive, but the emerging IA initiatives that spawn from FISMA and Cybersecurity Act could be interpreted many ways and solved many ways. Different people have different ideas about what Continuous Monitoring is, or should be, for example. The SCAP community keeps cranking out new specifications and new versions, some with use cases that have yet to be fully defined. NIST SP 800-53 Rev 4 comes out (hopefully) this fall. Every time a new revision comes out, the IA community waxes philosophical about the intent of each new control or change. There’s lots of activity, but it’s not all fully defined. There is a final connotation or meaning that comes only with maturity, after people agree on it organically. This agreement is intangible in most ways, but is what makes a practice into a “best practice” for example. Mass consent.
As we develop our new Archer federal solution, I am forced to guess where the federal IA community will be in the future. Fortunately, RSA Archer is flexible and configurable enough to adjust to changes in the areas listed above. The other part of this equation, however, is the “mass consent” piece. I have some small measure of control over the face of future IA if I help create the best IA Management tool and it becomes the de facto standard. You have control over my tool and every other security and IA tool on the market by suggesting which features you want to see or which use case you’re seeing go unsatisfied, and by voting with your procurement dollars. You can even influence the face of the regulations themselves. At any given moment, how many NIST documents are open for comment? I just recently found out that even Dr. Ron Ross lives on the plane of mere mortals and you can email him with problems and he will reply by phone (!). The point is that we can have as much of an effect as we choose to have. The doors are open to us. We are a community and we decide the direction of this industry together. In this spirit, please post your concerns or email product suggestions and problems to email@example.com