Author Archive

Is the Federal Government Moving Away from a Checklist-type View of FISMA Compliance?

Is the Federal Government Moving Away from a Checklist-type View of FISMA Compliance?

The Federal Information Security Management Act (FISMA) is designed to help Federal CIO’s move toward a comprehensive process of information security across their agencies. However, FISMA has been criticized as just a checklist used by IGs for compliance. This article by Jason Miller at Federal News Radio discusses the subject and how the auditors and operators may be moving towards a more effective process:

 

GS, IT executives to experience a FISMA détente

 

Summary: As OMB finalizes new FISMA metrics for 2016, agencies and IGs continue to struggle with a disconnect over risk versus compliance.

Jim Quinn, the lead system engineer for the Department of Homeland Security’s continuous diagnostics and mitigation (CDM) program, said too often IGs rely on checklists to determine whether or not agencies complied with the policy and law requirements.

“They have a standard pro-forma checklist that says ‘Have you done A, B and C?’ with no acknowledgement of whether A, B and C are really things that are important to what you are trying to achieve or whether you have done other things to make those controls less relevant because you’ve put compensating things in that limits your risk on them,” he said. “I think that this is one of the challenges, even looking at things like Federal Information Security Management Act (FISMA) metrics is how do we allow the agencies and departments and the mission groups to really be able to say ‘You have to look at the risk I’m willing to take in the context of what I am doing.’”

Posted in: Insights

Leave a Comment (0) →

Is Legislation Required to Make Federal Shared Services Successful?

2ndWave has worked with several Federal agencies to help them provide a shared service, evaluate available shared services, and migrate to a shared service for financial and grants management systems. Transitioning to a shared service or to becoming a shared service provider presents challenges to any Federal agency because of the risks involved, the lack of experience many agencies have in either role, and the potential lack of direct control. Further, agencies have to consider how well shared service providers meet their requirements and how they plan to refresh their services over time to reflect technological and process innovation.

Another area of concern is a lack of governing legislation. Unlike other aspects of their business process that are supported by legislation such as the CFO Act and the Clinger-Cohen Act, Federal CFOs and CIOs are not similar supported by legislation defining how agencies should both produce and consume shared services.

This commentary by John Marshall of the Shared Services Leadership Coalition from Federal Computer Week published June 22, 2015, makes a strong case for why legislation is needed to help drive better and faster progress in the movement of Federal agencies to shared services. It is an interesting perspective that adds to the overall dialog on Federal Shared Services.

Federal shared services: Why legislation is necessary

Posted in: Insights

Leave a Comment (0) →