I remember it like it was March: Georgia voluntarily adopted FISMA-esque metrics. I just found the policy statement for what they’re collecting in 2008. On a side note, all of Georgia’s security policies feature concepts borrowed from NIST, something I like.
Let’s talk about the scope creep of Government security, shall we? Fact of the matter is, it’s going to happen, and you’ll get eventually get caught up in FISMA if you’re one of the following:
- State and local government
- Government contractor
- Government service provider
- COTS software vendor
- Utilities who own “Critical Infrastructure”
Why do I say this? Mainly because just like how the DoD is discovering that it can’t do its InfoSec job without bringing the civilian agencies along due to connectivity and data-sharing issues, the Federal Government is coming to the point where it can’t secure its data without involving these outside entities. Some are providers, but the interesting ones are “business partners”–the people that share data with the Government.
State and local government are the ones to watch for this pending scope creep. The Federal Government works on the premise that the responsibility to protect data follows wherever the data goes–not a bad idea, IMO. If they transfer data to the states, the states need to inherit the security responsibility and appropriate security controls along with it.
Now if I’m a contractor and exchange data with the Government, this is an easy fix: they don’t pay me if I don’t play along with their security requirements. When a new requirement comes along, usually we can haggle over it and both sides will absorb a portion of the cost. While this might be true for some state programs, it becomes a problem when there is no money changing hands and the Federal Government wants to levy its security policies, standards, etc on the states. Then it becomes a revolt against an unfunded mandate like RealID.
There are some indicators of Federal Government scope creep in the Georgia policy. This one’s my favorite:
The performance metrics will also enhance the ability of agencies to respond to a variety of federal government mandates and initiatives, including the Federal Information Security Management Act (FISMA).
Georgia on my Mind by SewPixie.