Home page logo

isn logo Information Security News mailing list archives

Questioning FISMA Reform Without a New Law
From: InfoSec News <alerts () infosecnews org>
Date: Fri, 5 Apr 2013 02:50:40 -0500 (CDT)


By Bruce Brody
Bank Info Security
April 4, 2013

A recent article concerning how to reform the Federal Information Security Management Act without enacting new legislation caught my attention.

In my take on that article [see 6 Ways to Reform FISMA without New Law], two former Office of Management and Budget officials contend that agency inspectors general should adopt an enhanced risk management framework, after which the National Institute of Standards and Technology would reorient its volumes of guidelines to center on the unknowable threat, which would then drive a more threat-informed risk management framework in each agency. That, in turn, would compel the IGs to prioritize their annual findings against the agency's risk profile, upon which the chief information officers would incorporate the IGs findings into the agency's strategic plan.

Is this a move that mirrors the best practices of the security programs at the Fortune 500 companies? It's not even close. This approach disregards the inadequacies of the FISMA legislation and adds naively considered processes to the mountain of processes that clog the agencies' security arteries.

Simply stated, FISMA is flawed, and FISMA must be reformed. To assert otherwise is to not fully appreciate the degree to which FISMA missed the mark on information security and risk management. And continuing to paper it over is not an approach; it's a never ending tragedy.


Attend #HITB2013AMS April 8th - 11th in Amsterdam.
Featuring over 42 international speakers and keynotes
by Bob Lord and Edward Schwartz http://conference.hitb.org

  By Date           By Thread  

Current thread:
  • Questioning FISMA Reform Without a New Law InfoSec News (Apr 05)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]