The Federal Information Security Management Act (FISMA) is designed to help Federal CIO’s move toward a comprehensive process of information security across their agencies. However, FISMA has been criticized as just a checklist used by IGs for compliance. This article by Jason Miller at Federal News Radio discusses the subject and how the auditors and operators may be moving towards a more effective process:
GS, IT executives to experience a FISMA détente
Summary: As OMB finalizes new FISMA metrics for 2016, agencies and IGs continue to struggle with a disconnect over risk versus compliance.
Jim Quinn, the lead system engineer for the Department of Homeland Security’s continuous diagnostics and mitigation (CDM) program, said too often IGs rely on checklists to determine whether or not agencies complied with the policy and law requirements.
“They have a standard pro-forma checklist that says ‘Have you done A, B and C?’ with no acknowledgement of whether A, B and C are really things that are important to what you are trying to achieve or whether you have done other things to make those controls less relevant because you’ve put compensating things in that limits your risk on them,” he said. “I think that this is one of the challenges, even looking at things like Federal Information Security Management Act (FISMA) metrics is how do we allow the agencies and departments and the mission groups to really be able to say ‘You have to look at the risk I’m willing to take in the context of what I am doing.’”