Re: You see, this is the kind of stuff that discredits government-led initiatives...
There's a fair bit of truth to what you are saying. But there's also some foot dragging going on in some places.
I don't think it was the JPSS group, but I know one of the groups still thought they could use their high security/high availability status as an excuse not to implement the HSPD-12 requirements which was issued back in 2004.
Having also been on the periphery of discussions, I understand their desire to have 12 months on the POA&Ms. Sometimes the auditors run new reports and say it isn't closed because even though you fixed the ones from the last scans, there are now new ones. But you really do need to have actually fixed the 90 day ones before you can make that complaint.
Thankfully I'm not directly part of implementing these things. I'd go nuts trying to keep up with it all. I just have to make sure the systems have been built out with our baseline and that the vulnerability scanning has been completed before I deploy the system. After that our patch manager with his automated system takes over and we just get the call if a pc stops talking to the patch management system. I am reasonably confident our systems are mostly (95%+) patched within 30 days of patches being released. Ironically we're only a moderate not high risk system. But maybe that actually makes patching easier.
AC because I have supported or support at least three of the names that were CC'd on the OIG report.
Biting the hand that feeds IT
