From: FCW
By Amber Corrin
Across the federal government, managers are worrying about how to comply with new forthcoming security standards, including the possible reform of the Federal Information Security Management Act (FISMA) and the Federal Risk and Authorization Management Program (FedRAMP), even as their budgets shrink and pressure mounts to incorporate new technologies. While the transition may not be seamless, insiders say it does not have to be the struggle some fear.
There is no doubt the new rules will be disruptive. Among the many new requirements between the two measures are directives for securing data and other digital assets, adhering to compliance reporting, implementing security efforts that likely include new capabilities, and working with approved technology providers who have passed rigorous testing. Agencies also must either retrofit legacy systems and rework existing contracts or move to completely new versions of both. All around, the new standards are disruptive, most agree.
FISMA reform is still making its way through Congress, but if the legislation passes, the effect on agencies will be significant.
“It’s a huge change from doing a FISMA scorecard last December to implementing real-time scanning and continuous diagnostic monitoring this year,” Robert Duffy, CIO in the Homeland Security Inspector General’s office, said at a recent industry event in Washington. “It’s changing how we look at the network layer, what people are doing and the network piece that has become embedded with everything else that supports the mission. It’s exciting in one sense because we’re strengthening security…but also presents challenges going forward in what skill sets you really need to work the mission.”
It is not only agencies that must contend with change – under FedRAMP, which pertains to government cloud security, providers undergo thorough third-party assessments to ensure they meet all new requirements before receiving accreditation and approval to be a cloud vendor for agencies.
Agencies and companies alike are faced with a decision that really only has one option: get on the security train, overcoming issues like upfront investment, cultural resistance to change and a steep learning curve on numerous and complex controls, standards and requirements.
Leave a Reply