From: SANS News Bites in response to news reports that most agencies will not meet the deadline for FISMA continuous monitoring requirements.
(Paller): It’s never been about the money. Ever since both Senate and House hearings and White House leadership have called upon agencies to replace C&A reporting with continuous monitoring and mitigation, two barriers have consistently blocked broad adoption: (1) the contractors who are earning $350 million every year writing out-of-date and unread security reports for certification and accreditation updates, and who don’t want to give up that money even though they know they are wasting federal funds, and (2) the IGs who give the contractors cover because they don’t know how to, and have not tried to measure continuous monitoring and mitigation systems. A phone call I had with the IG from a major agency this week says that the second barrier is falling across several agencies. There is more than enough money wasted in C&A report writing to fully fund continuous monitoring and mitigation.
Leave a Reply