As government agencies move toward cloud computing and more complex systems -- systems which may have business processes embedded into service oriented architectures -- it may be that FISMA will lose traction as the best long-term solution for keeping government systems secure. The Federal Information Security Management Act was signed into law in 2002. The law stressed that information security is an important part of the nation's economic and national security. FISMA rules require each federal agency to d
FISMA has been a powerful solution for many security problems, but IT managers and contractors have long complained that it can be ponderous to manage and that it slows implementations and reaction time. This problem has come to a head at a time when government offices are seeking cloud-based solutions for some of their computing needs and rearchitecting the business logic of some key solutions.
Instead, many IT managers now promote the idea of "continuous monitoring" which is both the process and the associated technologies used to monitor compliance and risk issues associated IT and business operations. This may be done with special audit software combined with things like configuration management solutions, controls monitoring and authorized transaction inspections.
On the legislative side there are two bills that could influence federal agencies' cybersecurity directives. These are the National Defense Authorization Act (NDAA) and the Intelligence Authorization Act (IAA). The NDAA supports the idea of continuous monitoring. The IAA focuses on vulnerability assessments and encourages a rethinking of cybersecurity rules.
In reality, FISMA might keep government systems a bit safer. But this extra bit of safety is accomplished by locking down systems in a very restrictive way at a time when new and most cost effective solutions are needed. IT system security is really about risk management, and knowing where the most obvious risks are, and addressing them. This approach, combined with effective continuous monitoring solutions, allows for more flexibility when it comes to government business processes and system productivity.
It's not yet clear if FISMA will fizzle out, but there is a growing chorus of voices who would like to see FISMA requirements change.