So I have a ton of thoughts on the CISA Secure by Design and Secure by Default push that is ongoing, as I am sure many of you do. And the first thought is: This is not a bad way to go about business as a government agency in general. I think it's easy to ignore how fast the USG has changed its business practices, showing an agility that few large organizations can match. In particular using Secure By Design as a case example.
1. Massive outreach to garner feedback (including at defcon, but also via email, etc.) 2. Multiple rounds of editing of proposals 3. Actual people you could call and talk to about the proposal, with their faces and positions listed right in the papers and blogs and lawfare podcasts. If you were in DC today you could probably hit one of them up for drinks or lunch or whatever. 4. Interaction across multiple stakeholder groups, including internationally 5. The "right people" involved - and you can tell their backgrounds from what they are annoyed about during their podcasts and other presentations. (i.e. Bob Lord is very annoyed about XSS and obsessed with car safety, which I'll dig into later). But also Jack Cable, Lauren Zabierek and Grant Dasher are all worth listening to. 6. Clear executive support
So that's all good stuff. I thought I would post it as its own note because it's rare to spend a moment to look at the government process, and not see literally sausage being made. :)
-dave
Dave,
On Sat, 13 Jan 2024 at 08:13, Dave Aitel via Dailydave dailydave@lists.aitelfoundation.org wrote:
This is not a bad way to go about business as a government agency in general. I think it's easy to ignore how fast the USG has changed its business practices, showing an agility that few large organizations can match.
https://www.oig.dhs.gov/sites/default/files/assets/2024-01/OIG-24-09-Jan24.p... reached a different conclusion.
Hey everybody,
On 19.01.24 05:18, Christian Heinrich via Dailydave wrote:
Dave,
On Sat, 13 Jan 2024 at 08:13, Dave Aitel via Dailydave dailydave@lists.aitelfoundation.org wrote:
This is not a bad way to go about business as a government agency in general. I think it's easy to ignore how fast the USG has changed its business practices, showing an agility that few large organizations can match.
https://www.oig.dhs.gov/sites/default/files/assets/2024-01/OIG-24-09-Jan24.p... reached a different conclusion.
Please note the last sentence on page 3: "The scope of our audit was efforts during fiscal years 2019 through 2022"
Not being a fanboy of CISA, I see that quite a lot of (positive) things have happened in the last 2 years there.
And publishing a report for that timeframe in January 2024 puts the OIG in a questionable light regarding agility and speed.
Just my 0.02 €... telsh
Telsh,
On Sat, 20 Jan 2024 at 07:26, telsh via Dailydave dailydave@lists.aitelfoundation.org wrote:
Please note the last sentence on page 3: "The scope of our audit was efforts during fiscal years 2019 through 2022"
Not being a fanboy of CISA, I see that quite a lot of (positive) things have happened in the last 2 years there.
And publishing a report for that timeframe in January 2024 puts the OIG in a questionable light regarding agility and speed.
The CISA responded to their draft deliverable on 29 November 2023 (Page 15) and have agreed to implement its recommendations by 31 October 2024, 30 May 2025 (Page 12) and 30 September 2025 (Page 13)
The page numbers above of https://www.oig.dhs.gov/sites/default/files/assets/2024-01/OIG-24-09-Jan24.p...
dailydave@lists.aitelfoundation.org
-
Christian Heinrich -
Dave Aitel -
telsh