Idiots who chose to live in antique buildings, in an earthquake prone area.
Rather than take personal responsibility for it, they are now trying to blame the scientists.
I doubt scientists can accurately predict earthquakes due to the limited amount of time we have been observing the earth. Half the Nuclear plants in the Eastern US were built to specifications considered accurate at the time, something we now know not to be adequate.
FISMA certified ( and accredited ) means a great deal more than security planning.
Certified means it was tested by an independent security tester to NIST 800-53, using 53A and all associated security pubs. I won't get into the specifics of the security testing required for this, but it is wide and primarily comprehensive*.
NIST's Risk Management Framework
Accredited means that a government executive read over everything, with the advice of government security engineers, and still thought it was a good decision to authorize government use. Government types are notoriously risk-adverse
NIST goes far beyond what you see in unregulated industries. If you don't understand the control set, you really are not qualified to speak. While there are other regulated industries that may have similar protections, they are few and far between.
* NIST control sets still need improvement in software security
GSA, the lead government agency for acquisition, certified and accredited Google according to FISMA.
The question is really whether or not GSA can do that (Certify and accredit for the entire US govt), and whether or not any agency can arbitrarily add their own unique security requirements(DOI excluding)
The truth of the matter is more simple.
Google went through the agonizing process of FISMA that is very stringent compared to jokes like a SAS 70 type 2. Microsoft did nothing. DOI does not have a FISMA certified private or govt cloud.
DOI determined they would add in their own unique security requirements for a yet-unbuilt cloud solution that had never been certified for FISMA. Basically a joke of a to-be solution.
Google cried foul, claiming they had already passed the FISMA qualification, something no other cloud vendor had done at the same time period. Google claimed a certified solution like their cloud could not be compared against a non-existent pipedream cloud.
GSA certified and accredited Google Apps (FISMA certification)
GSA is the lead agency for acquisition for the US Govt
GSA met several the NIST standards at the moderate level
DOI claims that the GSA certification doesn't meet their specific standards and they have to have a govt only cloud in the continental US.
DOI security has been the laughingstock of the US govt for as long as I can remember*
DOI disconnected from the internet by a federal judge for complete failure in IT security
he was suspected, or possibly indicted for some criminal & sexual transgression involving the female staff of Wikileaks?
I am sure the Swedes aren't keen on granting citizenship to every Tom, Dick or Harry alleged pervert.
Powershell is by far, one of the best Microsoft has created on the scripting side. Why? They basically took a shell and enhanced it by making it object aware, and giving it access to
I am not a fan of the naming conventions they use in powershell! It makes it harder to write terse scripts.
Please see
http://w3.linux-magazine.com/issue/78/Bash_vs._Vista_PowerShell.pdf for a comparison of powershell vs Bash.
http://blog.brandonbloom.name/2009/04/powershell-condemned-to-reinvent.html
Most of work involves commodity certification & accreditation (C&A) that involves the following:
Phase 1
a "system owner" (Govt IT manager) has staff prepare documentation of the security controls implemented on a "system" (Logical grouping of computers). The security controls are in NIST 800-53, this is FISMA in action.
C&A process http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf
NIST Controls http://csrc.nist.gov/publications/nistpubs/800-53-Rev2/sp800-53-rev2-final.pdf
NIST Audit process http://csrc.nist.gov/publications/PubsDrafts.html#SP-800-53-A%20Rev.%201
Phase 2
A certification agent comes in, assesses the system using tools and configuration analysis. This is heavily slanted towards audit, instead of true security analysis.
Phase 3
A senior executive (Authorizing official) makes a decision about the risk acceptability of the system to operate, and may make the system owner do corrective action. The system then moves into continuous monitoring (phase 4).
That is how certification and accreditation operates in theory. Now I am going to tell you how the system is gamed.
During Phase 1, it implies you actually have competent IT security professionals on hand, performing work for the system owner. This is a false assumption. Most system owners don't know security, nor do their staff.
Phase 2 - First of all, have the certification agent companies don't understand security. They can talk the talk (CISSP) but have no solid IT / IT security expertise (not security testers). Many certification agents will not even test systems. They play a game of bringing in cheap staff or running vulnerability scanners then passing them off as "penetration tests". The amount of utter garbage in the field is amazing. Even more so are the reports they write up are audit garbage. If you asked most certification agents about a security methodology, they haven't heard of the OSSTMM or similar. They use NIST 800-53A (heavily audit driven) then they write up meaningless reports, equating technical weaknesses as just as relevant as a gap in a policy.
Phase 3 - The vast majority of government executives are clueless when it comes to IT. They know a little bit, like the name of an operating system (Linux - buzzword - yay!) but not much else. So, they are easily led astray. Most will allow a system to operate regardless of how bad it is, based on a horrible security review performed by incompetent certification agents, on a package made by the almost as clueless system owner and his staff.
After a system gets an authorization to operate, many staffs stop doing all security for 3 years, til the next C&A comes around.
It is not uncommon for a federal cabinet level agency to have 300+ systems, with 300+ system owners, with 300+ completely separate, unique and underfunded security implementations that have more holes than swiss cheese.
If you notice, what is missing from above is actually rigorous security analysis. Code is rarely audited. Configurations are rarely checked 100%. Policy is viewed as important as technical controls. Most testing is a wash. Penetration tests are vulnerability scans by nitwits.
And you wonder why the Chinese are plundering the US govt on a daily basis?
There are two ways to write error-free programs; only the third one works.
