Shmoo #2

Watching this about FEDRamp.

Off-the-cuff notes:

There’s a bot on Discord that searches for FIPS, and replies “FIPS is stupid.”

DoD has a strange ix of FIPS and old AF DoD controls

You should be using KMS.

Tenable now does have now have FEDRamp auth for scans.

Focus on identity control and change management.

You do inherit some things from Azure or AWS, but it doesn’t fix everything. It does make documentation package simpler.

Advicee is to use FEDRAmp mod over ____ (for small biz). It helps some, but very few products can actually use it. Tailored? Taylor’d?

Still not clear how POA&Ms can be aggregated.

If you’re in planning, use Rev5 for new things. Other Rev4 can stick for a while, but don’t do anything new.

Push to actually make one-stop shop.

LOE for POA&Msmis very, very, very high.

OMB has solicited comments on IT regulations, related the initial guidance on FEDRampl

Question about using LetsEncrypt certs on FEDRamp. (And you’re reading on a site sekur3d by LE..)

I do kind of understand what they’re trying to do, but I have kind of an automatic repusion towards it.

The idea of sending out really not-even-beta-leval solutions really just bothers the hell out of me.

zOMGSEKUREREST bits, showing that things are good is one thing…but you should have to show that A) the product sorta kinda works in the lab first, and B) scans of that sorta kinda working product happened before you plugged it in to the fucking Internets.

Too much of what I’ve seen lately fail on both of those questions.

But we’re moving way faster than before…IN AGILE SPRINTS….putting out things that probably don’t work as intended, and have quesitonable security.

But, like, it costs a bunch moar, so it must be good.