Vulnerability Management

I'm subscribed to numerous mailling lists from SANS, and this morning this little tidbit came across the @RISK list (full email here):

"For everyone who has ever tried to reduce vulnerabilities, and found it
very hard, today is a very good day.  NIST just announced (this morning)
that it is launching a cooperative effort involving NSA, DoD/DISA, DHS,
and the Center for Internet Security, with the help of security and
software vendors, to radically upgrade vulnerability management. The
program will bring automation and standardization to vulnerability
management, and it is real.  Within a few months, you should expect to
see new procurement language that can be used by any organization buying
software or system or system integration, that will require the vendors
and contractors to deliver systems and software compatible with the new
automated vulnerability management program.  SANS will do a free webcast
on it shortly to give you more details."

I'm pleased to hear this, as I think it has great potential. However, with every U.S. government program I reserve judgement until I see the results, as they often have good ideas or plans, but horrible implementation. A good example is FISMA, which gives government agencies scores based NOT on how they secure their infrastructure, but on how well they document it. In other words, they spend more time documenting than fixing the problems they've documented.

I know, because I do IT security work for the government. I spend up to 4 months a year focused on documentation and reporting, and I'm lucky in that I'm responsible for a "small" system, approx. 350 devices.