The whole idea of the Certification & Accreditation (C&A for short) process within the government started out as a fundamentally sound plan.  Unfortunately, as everything began to unfold over time, it quickly changed into a convoluted and burdening process for any Information System Security Officer (ISSO).

Each agency is required to meet the controls that are adapted from the National Institute of Standards and Technology (NIST) Special Publications (SP) 800-53.  The issue is not necessarily in the controls that are required to be met but in the interpretations that are handed down to sub-agencies from their parent agency.  Not every sub-agency operates in the same manner but many times each parent agency treats all sub-agencies the same regardless of the function of the sub-agency.

Luckily, there is a solution that is easier said than implemented.  That solution is to allow the sub-agencies to adapt the NIST SP 800-53 controls to their specific environments then get approval for their adaptations from their parent agency.  Now, even though this solution is obviously not definitive nor is it fool-proof, it allows for the already existing C&A infrastructure to be used as seen fit but it also allows for the modifications as needed by the sub-agencies.

I'm not saying this would be an easy task but in the end the C&A process that started out so promising could once again be a good plan.

NOTE: This is not the only thing about the C&A process that needs work but keep checking back with us to find out what else could be done to better improve the process.

I, too, am a first time blogger.  Getting wrapped up in the day to day business of security can be quite a demand on keeping in touch with the vast online community.  With that being said, I can only hope that my information will be helpful as I continue to write about the interesting things we at Foreground Security see on a regular basis.

Working with the staff at Foreground Security has been nothing short of educational especially since we seem to never see the same thing twice.  Keeps us on our toes and we always enjoy a good challenge.  All of us are excited about our new website and we will continue to improve our presence in the online security community.

Keep checking back with us to get our latest news on things we may have encountered, experienced, or heard through the "grapevine" that may not be out there yet.

We hope to see you at BlackHat!

So this is my first official blog post, Ever! While others have blogged "promiscously" I have not had the opportunity as it always seems like other things have kept me from being involved in the online security community. So, here it goes:

I would like to quickly discuss Wi-Fi on airlines and the potential security risks that are blatantly inherent in the service. As I write this I am sitting on a flight to Vegas for BlackHat and we have inflight WiFi. So, I decided to start poking around to see what the service was like and how secure it may or may not be. I plan to write a more detailed account of my "findings" later this week but a quick recap of some fun facts: Speed and service are very good, Expensive, I was able to do a web-cam session with my family at home live from the plane, no content seemed to be blocked, it appeared it was possible to ARP jack the wireless network if I wanted to, ICS was an option if you wanted to share 1 internet connection, and plenty more to come.

Heading to BlackHat and the Craps Table!