RMF professional lost due to our ATO/compliance program lacking integrity?

old.reddit.com / @/u/Ok-Profession6931, https://old.reddit.com/user/Ok-Profession6931

FYI cross posting this from cyber over here with NISTers hopefully yall will get my pain
What do you do at work when nobody cares?

------

Background:

  • For any roles involved in NIST/RMF/GRC IT compliance program but specifically RMF or those who support federal government cyber efforts
  • Without lamenting on how 'lax' government specifically "non military/intel agencies" we get the culture is very different from private sector, people are rarely fired, folks don't get gov't jobs for the pay old tech, archaic processes etc
  • Issue
    our RMF program is ZERO integrity- like work is BEYOND a joke. This is specific rant on those who write and create security package deliverables (aka SSP, ISCP), Assessors/SCA/Auditors and the management team who review those packages to make ATO/Risk based decisions.
  • Let me walk you through our program; 1) our ISSO do no nothing 2) our analysts who document systems implementation statements have developed a database of copy/pasted words; half the time they don't make sense based on the system, are OBE or just quite frankly don't answer the security control 3) our SCA PASS every single control (aka they are scared to fail items when we aren't military no 4 star general is going to scream at you, they are just lacking leadership and not trained well enough, and now nobody cares or has reason to change) 4) Our AODR/CISO--i don't know what they look at when they review these packages because half the time the reports don't make sense and large parts of the assessments are skipped aka Vuln Scans) ... they just stamp 3 year atos without scrutiny

so collectively I work in a shop where soup to nuts there is no leadership, no real cyber risk appetite, no accountability (they don't fire contractors nor feds at my agency-- its actually outside of the work its a great place to be and people don't leave) no training so that people perform your duties and what really stinks all of our ISSO are government so they don't enforce or do ANYTHING (i've never seen it this bad)

Mentally it sucks for me as a 15 year IA/Cyber vet but I'm paid very well to work maybe 20 hours so I just stfu an collect my check

BUT although I have alot of friends in the industry I had to write this post to get some perspectiv

submitted by /u/Ok-Profession6931
[link] [comments]

published 5 months ago


Previous

Clarification on CMMC Compliant Remote Support Tools
published 5 months ago

Next

FedRAMP clarification
published 5 months ago
See all items from the same source