From: GCN
By William Jackson
We now are in the opening weeks of a new Congress, and several cybersecurity bills already have been introduced, aimed primarily at improving cybersecurity education and protecting critical infrastructure. It is just a matter of time before FISMA reform is again brought up.
At 11 years old, the Federal Information Security Management Act of 2002 is well into middle age for an IT law — in fact, it’s probably moving into old age — so it is due for a legislative update. When Congress does address the issue, it should move cautiously, taking the time to evaluate what is right about FISMA and what could be improved, and looking at what agencies have been doing right in securing their information systems.
Moving cautiously does not mean stalling. Any number of FISMA reform bills have been introduced in past sessions, only to die without making it to the floor. But Congress should take the time to ensure that any new law is a clear improvement over the existing one.
FISMA has always had its detractors, but it has proved to be a robust law. One of its strengths has been its ability to evolve through non-legislative means. Over the years, the agencies overseeing it have shifted focus away from static compliance and toward risk management, continuous monitoring and real-time awareness. In the past year or so, the National Institute of Standards and Technology has updated its guidelines on risk assessment (Special Publication 800-30 Rev. 1, revised in Sept. 2012), security controls (SP 800-53 Rev. 4, draft revision issued in February 2012) and continuous monitoring (SP 800-137, issued in September 2011).
Leave a Reply