Information Security News
mailing list archives
Questioning FISMA Reform Without a New Law
From: InfoSec News <alerts () infosecnews org>
Date: Fri, 5 Apr 2013 02:50:40 -0500 (CDT)
By Bruce Brody
Bank Info Security
April 4, 2013
A recent article concerning how to reform the Federal Information
Security Management Act without enacting new legislation caught my
In my take on that article [see 6 Ways to Reform FISMA without New Law],
two former Office of Management and Budget officials contend that agency
inspectors general should adopt an enhanced risk management framework,
after which the National Institute of Standards and Technology would
reorient its volumes of guidelines to center on the unknowable threat,
which would then drive a more threat-informed risk management framework
in each agency. That, in turn, would compel the IGs to prioritize their
annual findings against the agency's risk profile, upon which the chief
information officers would incorporate the IGs findings into the
agency's strategic plan.
Is this a move that mirrors the best practices of the security programs
at the Fortune 500 companies? It's not even close. This approach
disregards the inadequacies of the FISMA legislation and adds naively
considered processes to the mountain of processes that clog the
agencies' security arteries.
Simply stated, FISMA is flawed, and FISMA must be reformed. To assert
otherwise is to not fully appreciate the degree to which FISMA missed
the mark on information security and risk management. And continuing to
paper it over is not an approach; it's a never ending tragedy.
Attend #HITB2013AMS April 8th - 11th in Amsterdam.
Featuring over 42 international speakers and keynotes
by Bob Lord and Edward Schwartz http://conference.hitb.org
- Questioning FISMA Reform Without a New Law InfoSec News (Apr 05)