The Federal Information Security Management Act (FISMA) of 2002 has been the cornerstone for information security in Federal Government for the last 11 years. It mandates that federal agencies develop, document and implement information security programs to protect their information systems and the information on them. FISMA focuses on compliance by grading each agencies security based on how many FISMA requirements are met.
As a result, this process has become more about an agency compiling a list items that are FISMA compliant, and less focused on securing the information and the information systems. It has become evident that this static, compliance-based approach is neither effective nor adequate to protect federal government systems. Furthermore, the technology advancement over the last decade has provided both challenges and opportunities to effectively protect these systems.
It is time to have a more proactive approach to combat evolving cyber security threats and better protect national information infrastructure. A more dynamic framework is needed, one that requires actively monitoring the threats and performing risk assessment to determine the security posture on the federal information systems.
Last month, Federal Information Security Amendments Act of 2013 was introduced in the House (similar bill was introduced in 2012). This bill, being risk-based instead of compliance-based, if passed, will have new mandates on the departments/agencies and their information security officials. It will require each department/agency to use latest technologies to actively monitor the security of their information system and perform regular risk assessment.
We may soon have an enhanced FISMA.