[ievans]

I'm surprised there are so many negative comments on this release, which I suppose is timed for discussion at Blackhat/Defcon.

The report's identifies its audience as four groups of stakeholders: (1) federal civilian executive branch agencies (2) target rich, resource poor entities where federal assistance and support is most needed, including SLTT partners and our nation’s election infrastructure; (3) organizations that are uniquely critical to providing or sustaining National Critical Function (4) technology and cybersecurity companies with capability and visibility to drive security at scale

The overlap with the HN audience is probably primarily under the last category, where they have 5 objectives listed in the report (increasing threat modeling, secure software development frameworks, accurate CVE data, secure-by-design roadmaps, and publishing stats like MFA adoption and % of customers using unsupported product version). These all seem like good priorities for an agency like CISA and I've been impressed by their level of direct industry interaction even in our company's corner of the security (appsec) space.

[rawgabbit]

Looking at the details of the plan to secure America's IT infrastructure, it leads me to Secure Software Development Framework which then leads me to an Excel spreadsheet which then leads me to a tick the box exercise I can get from any generic consultant.

https://csrc.nist.gov/files/pubs/sp/800/218/final/docs/nist....

This is how big corp rubberstamps their security "review". As an American, I was hoping for the government to come up with a real solution. Like telling the big tech companies, that if America goes down the toilet, so do you. So stop with nonsensical security theater, and come up with real solutions. Like how to identify who is doing what. Real identity authentication and real logging. No more VPN/TOR/I can use any IP address I want then spoof a federal employee. No more I can arbitrarily change any setting/value because MSFT/UNIX doesn't believe in auditing.

[unethical_ban]

You're doing a lot of hand-waving. As someone who has managed remote access to... Internal networks, I'll say it isn't as easy as shoulder surfing at a coffee shop anymore to get into a secure network.

And if that isn't known, I do consulting!

[logicallee]

I’m a “target rich, resource poor” entity which is where federal assistance would most be needed, so I read the report eagerly. I didn’t like it and it doesn’t seem to contain any useful plans or roadmap.

[tptacek]

Are you a federal agency? That's most of the target of CISA's strategic work.

[logicallee]

I do work at the federal agency level, which is what I think you’re asking. I am clearly the intended audience of CISA’s strategic work, and that work is of very poor quality at the moment (as shown by the document we’re discussing) and does not serve my interests. CISA also declined to take my feedback in an unpaid advisory role, which is the first time in my life that this has happened. I’ve never met another organization that goes to as much lengths to avoid the possibility of hearing from its customers.

Where in the linked document do you see any part of their vision to listen to their targets and solve their problems? Their strategy does not include allowing any reporting of problems and threats, nor gathering any feedback about the security issues on the ground. In fact their document doesn’t even contain basic contact information. It is an opaque document discussing non-threats and ignoring gathering information about threats, understanding and responding to them. It is the worst strategic plan from any organization on any subject and fails to mention any mechanisms toward necessary outcomes.

https://www.cisa.gov/sites/default/files/2023-08/FY2024-2026...

[tptacek]

I suspect the issue here is that you are not, in fact, the intended audience of this work.