[fname]

I don't disagree. Unfortunately, this all falls on DoD-DISA. The NSA works with DISA to write the policy for how to secure systems (called STIGs) and also has 'Red Teams', but they aren't the arm that certifies these systems before coming online, nor are they the ones the ensure the systems stay secured as new vulnerabilities are found and patched -- that's DISA again.

[walshemj]

I could see the CIA NSA taking their vetteing back in house every CIA and NAS employee must be incandesant with rage over this cock up.

[DickingAround]

That makes sense from an org-chart level. But if that's actually the thinking inside, it represents a total lack of ownership on their part to get to the overall goal of security.

[djKianoosh]

You obviously know what you're talking about, but DISA can't enforce STIGs across the entire government can they? Some say that's DHS's job, or some Office within DHS (or within an Agency under DHS).

[fname]

> but DISA can't enforce STIGs across the entire government can they?

No, with a small caveat: If that civilian agency (say DHS) is connected to the GIG[1], then DISA has a say-so and can threaten to disconnect them for failing security audits.

Something to keep in mind is that the STIGs are merely implementation guides to secure a system. Therefore, different agencies have different interpretations. In some cases specific secure implementations break systems and applications (mostly legacy ones), so they avoid securing those particular settings all together.

1: https://en.wikipedia.org/wiki/Global_Information_Grid