William Jackson on FISMA: It Works, Maybe

Posted June 30th, 2008 by

Article from William Jackson in Government Computer News:  Security policies remain a burden to federal IT managers, but they are producing results.

First off, GCN, come into the modern Web 2.0 era by letting people comment on your articles or at least allow trackbacks.  Having said that, let’s look at some of Mr Jackson’s points:

  • NIST Special Publications: They’re good.  They’re free.  The only problem is that they’re burying us in them.  And oh yeah, SP 800-53A is finally final.
  • Security and Vendors/Contractors:  It’s much harder than you might think.  If there’s interest, I’ll put out some presentations on it in my “copious amounts of free time”.  In the meantime, check out what I’ve said so far about outsourcing.
  • Documentation and Paperwork:  Sadly, this is a fact of life for the Government.  The primary problem is the layers of oversight that the system owner and ISSO have.  When you are as heavily audited as the executive branch is, you tend to avoid risks and overdocument.  My personal theory is that the reason is insistence on compliance instead of risk management.
  • Revising FISMA:  I’ve said it time and time again, the law is good and doesn’t need to be changed, the execution is the part that needs work.


Similar Posts:

Posted in FISMA, NIST, Outsourcing, Risk Management | 3 Comments »
Tags:

3 Responses

  1.  Mike Says:

    > the law is good and doesn’t need
    > to be changed, the execution is
    > the part that needs work.

    Here here. I couldn’t agree more Michael.

  2.  Dan Philpott Says:

    We could use more advocates for the FISMA process. Detractors of FISMA have well known talking heads. FISMA professionals need to cultivate a few of their own.

  3.  rybolov Says:

    @Dan

    Fruck, I’m trying…. =)

    It sounds like I’m a FISMA fanboi every other day here.

Leave a Comment

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.


Visitor Geolocationing Widget: