A couple weeks ago, NASA announced it was all but done with certification and accreditation (C&A), calling it “cumbersome and expensive.” Many were intrigued by such a statement – not because it was wrong, but because it represented a potentially interesting shift in the status quo, done in a somewhat rebellious manner. NASA instead favors a “risk-based approach” that relies more heavily on continuous monitoring. NASA also cited significant cost savings from cutting back C&A activities. Seemingly in direct response to this outburst, NIST has now released an update to their continuous monitoring FAQ, specifically pointing out that C&A activities are a necessary component of risk-based management of systems, and highlighting that continuous monitoring alone is insufficient. One of the[…]

Today, in advance of the 2010 RSA Conference, I had the benefit of attending the 10th CSO Council Bay Area Round Table: The Last Mile: The End of Paper. It has been an interesting exercise with a mock trial (moderated by two Judges) involving three wills signed with three different technologies: ink signature, closed system electronic signature, and digital signature. You would think this would be an easily decided scenario; the digital signature is a superior and more trustworthy technology, right?  Well, not when you change the rules a bit. Basically they made the strength of process the inverse of the strength of the technology.  Here are the key points from today’s trial, and I’d like your suggestions on which[…]

SearchCompliance.com has posted an article detailing important regulatory compliance trends that will affect IT in 2010. The trends that were listed include: Automation of compliance processes More regulation en route FISMA compliance reform More enforcement for noncompliance Federal data breach and privacy laws emerge Cloud computing complicates compliance SOX compliance for small companies Migration to risk management I was quoted in a couple parts of the article with my visions of the future related to FISMA and risk management. It’s worth a read and a comment if you think they missed anything, or if my predictions are way off!

Dan Kaminsky posted on twitter the following: http://eprint.iacr.org/2010/006.pdf Is it time to deprecate 1024bit RSA for, say, 1276bit? (2048 has perf issues.) The link Dan provided is a research paper which reports the successful factorization of the 768-bit number from the original 2001 RSA challenge. I responded to him that NIST had already deprecated the use of 1024-bit RSA in the government, and it was time for industry to follow suit. Since I posted that, I’ve been surprised that a number of people don’t understand the upcoming changes in key lengths and algorithm strengths that have been mandated by NIST. So, this post offers some information about why I can confidently say the U.S. government has deprecated certain algorithms and[…]