[ISN] Questioning FISMA Reform Without a New Law

http://www.bankinfosecurity.com/blogs/questioning-fisma-reform-without-new-law-p-1445 By Bruce Brody Bank Info Security April 4, 2013 A recent article concerning how to reform the Federal Information Security Management Act without enacting new legislation caught my attention. In my take on that article [see 6 Ways to Reform FISMA without New Law], two former Office of Management and Budget officials contend that agency inspectors general should adopt an enhanced risk management framework, after which the National Institute of Standards and Technology would reorient its volumes of guidelines to center on the unknowable threat, which would then drive a more threat-informed risk management framework in each agency. That, in turn, would compel the IGs to prioritize their annual findings against the agency’s risk profile, upon which the chief information officers would incorporate the IGs findings into the agency’s strategic plan. Is this a move that mirrors the best practices of the security programs at the Fortune 500 companies? It’s not even close. This approach disregards the inadequacies of the FISMA legislation and adds naively considered processes to the mountain of processes that clog the agencies’ security arteries. Simply stated, FISMA is flawed, and FISMA must be reformed. To assert otherwise is to not fully appreciate the degree to which FISMA missed the mark on information security and risk management. And continuing to paper it over is not an approach; it’s a never ending tragedy. […] ______________________________________________ Attend #HITB2013AMS April 8th – 11th in Amsterdam. Featuring over 42 international speakers and keynotes by Bob Lord and Edward Schwartz http://conference.hitb.org