[codegeek]

"There was no meaningful organization scoping, no tenant isolation, and no permission check preventing a low-privilege user from accessing other organizations' records."

Let me guess though. They are SOC2 and ISO compliant right ?

[sailfast]

One hopes not as this stuff would have come up in even a cursory audit of the product - but it’s kinda like Ratings Agencies / Moody’s in 2008 right now until a big breach that occurs post-cert and they lose their credibility.

[zbentley]

The number of FISMA-HIGH, ATO’d/RMF’d, security audited government systems I’ve seen with equivalent security issues is…substantially nonzero.

I have come to believe that most security audits, even ones conducted through widely-reputed groups or under strict standards, are much worse than useless.

Audits are a thing that can theoretically be done well/in a value-adding way, but rarely are, for the same reasons that most private-sector security teams I’ve worked with are effective only at generating internal badwill, and ineffective at increasing security above a very low baseline.

[moron4hire]

I've been trying to figure out what exactly or IT Security Team does. Because all they seem to do is create stupid impediments that actually push people into making work arounds that make everything less secure.

For example, they won't create for me an MS Entra ID App Registration for our internal project Because Security Reasons (they literally won't tell me why). So instead, I use Integrated Windows Authentication, which is about as secure as a hotel bar patron charging to "his" room.

They are insisting everyone start RDPing into a VM in Azure to do development work. Won't be able to get to the new source control system without it. Old system is losing its license, etc, etc. Oh, but the new system is not approved for storing CUI. So... what the actual fuck are our AFSIM developers supposed to do?

These VMs are 1/4 the hardware specs of my laptop in almost every dimension, yet still somehow car 50% more to rent per year than the entire purchase price of my laptop. Plus they are timesharing is in them, 4 developers per VM. It's not like we live in majorly different timezones. We're either all going to be on from 9am - 5pm EST or we're not.

Within these VMs, I have absolutely zero ability to install any software or modify any settings. Even the god damn clock is set to GMT+0 and I can't change it to local time. Sure would be nice if the must visible clock in my visual field accurately portrayed the current time when I have the RDP session running full screen, which is basically the only way to run it without wanting to hammer drill my brains out.

I have heard rumors that a lot of the other developers have started working from their personal devices, because otherwise they are at a complete work stoppage on their work computers due to the cockamamie IT setup. So congratulations, IT Security Team. Good job.

I still want to know why--when we're wanting to run services like Document Intelligence and Azure OpenAI in Azure GCC High, a FedRAMP-High approved environment with these services claiming DoD Impact Level 5 compliance--our IT Security department thinks that can't be used for CUI. They say we need to spend 2 years and $2 million doing some kind of review of Azure itself before it can be approved for CUI. Uhm, no? If it needs that, why would we spend that money and time? Why wouldn't Microsoft be the one to do that?

[skinfaxi]

> I still want to know why--when we're wanting to run services like Document Intelligence and Azure OpenAI in Azure GCC High, a FedRAMP-High approved environment with these services claiming DoD Impact Level 5 compliance--our IT Security department thinks that can't be used for CUI. They say we need to spend 2 years and $2 million doing some kind of review of Azure itself before it can be approved for CUI.

Don't you still have to get program-specific authorization for IL5?

[moron4hire]

I don't know. I've been a software engineer for 25 years, but this is my first DoD job in 20. We didn't have this when I was a junior developer and I don't have the time to learn about this particular part of the process.

We have plenty of program contracts that require IL5. I think you only need ATO to go to IL6 and above (which would be Secret and would require working in a SIPRNet connected network isolated from our corporate network). For just CUI data, I thought you didn't need special authorization.

What I really need is someone I can trust who can come in and tell me what we should be doing, because whatever our IT Security team is telling me sounds ludicrous. There are a whole host of problems with our IT systems that indicate to me that they don't really know what they are doing.

Edit: note, I'm not talking about certifying our own software for use with CUI. That's a ball of wax that our leadership has told us to defer until next year, since for this particular project we don't have any clients yet. I'm talking about our IT dept won't let us send CUI through existing, should-be-approved services in Azure GCC High right now, even from our laptops inside our CUI-approved corp network.

[nonameiguess]

You need an ATO for any government software, not just IL6 and higher. What you're experiencing is cloud service providers only get a provisional ATO for their services. Full compliance with IL5 isolation requirements involves controls both on Microsoft's side and on your side. They have some rough documentation here (https://learn.microsoft.com/en-us/azure/compliance/offerings...) and here (https://learn.microsoft.com/en-us/azure/azure-government/doc...). If you can figure out what you need to do from reading that, well, you're better qualified than I am. It's complicated. I don't think this is on your IT team. The government makes this hard.

If you've been out of the game a while, things got significantly more difficult ten years ago around the time of the OPM breach. CMMC2 requirements got a lot stricter. The only bright side here is everyone is subject to the same bullshit, so you're not at any competitive disadvantage. I get how frustrating it is. We've all been there. But go easy on your own team. It's just as frustrating for them.

[icedchai]

I work with a "global systems integrator" that has IT security policies so insane that it takes 1 to 2 months to onboard a developer and finally get their work laptop set up. Meanwhile, they are basically twiddling their thumbs getting billed out at ~$200/hour, unless they happen to have their own laptop. Some of them just stay working on their own laptops because it's so much more productive.

[tgv]

There have been a bunch. Did any auditor lose a license, credibility, or even a night's sleep? Even accountants aren't held to their standards, and they are supposed to guard the holiest of holiest: shareholder money.

[hobofan]

ISO compliance tells you almost nothing about the security of the product being developed, just about the processes in place at the company developing the product.

[codegeek]

Yes thats why I also added SOC 2. I have gone through an ISO audit for our company so I know the process. The point is that these certifications are mostly a joke but you have to play the game to win "enterprise" deals.