Evolution of Security
A CSAM that is used for all agencies is a key component for the continued evolution of agency cyber capabilities. As we already know, agencies are deploying sensors that help to understand vulnerabilities. Those vulnerabilities are lighting up dashboards like Christmas trees. We need to home in on the finite list of vulnerabilities. As such, anything that helps us to subtract lights from the dashboard is a good thing. All that POA&M data is in CSAM. Thus if we can make a link between the POA&M and a vulnerability that we are already working, then there is a segment of the noise that we can wipe away.
In order for this to have merit we need to get serious about managing POA&Ms. Their max duration must have rules and there must be a limit about how many times you can re-up them. I have seen agencies create a POA&M for six months and even year-long durations. That is completely unacceptable. If a POA&M lasts more than a month (for a critical or high), without something to mitigate the issue then you might as well quit now.
Agencies have also gamed the system by extending POA&Ms. They will create a POA&M and give it a due date of two weeks but then every two weeks they extend it for another two weeks until you get six months or a year down the line and you realize that you have been played like a banjo on the knee of a hick missing three teeth. The other big way agencies game POA&Ms is by closing down a POA&M and opening a new one on the same issue for the same system.
To address these problems agencies need to be held accountable for:
- Completely reporting their POA&Ms.
- How many POA&Ms they are carrying on a daily basis.
- The average duration of their POA&Ms.
- Percentage of POA&Ms that are extended.
This set of data will help oversight organizations to understand the level of risk different organizations are willing to accept.
In This Series:
6 <sup>6</sup> http://www.darkreading.com/cloud/cybercrime-a-black-market-price-list-from-the-dark-web/d/d-id/1324895?