Since its inception into law, the Federal Information Security Management Act of 2002 (FISMA) has faced many challenges, both through establishing itself in the federal landscape, and developing the necessary framework for applying the principles into practice. Although FISMA has been in existence for 5-years, many would say that security has only shown limited improvement, while others would stand by its success.
Those familiar with FISMA have experienced the uncertainty of the initial implementations, and identified with some key improvements brought about through the increased visibility of security. FISMA has now made security a mandated priority, whereas, prior to its enactment security was only given limited attention. The work performed by the National Institute of Standards and Technology (NIST) has been instrumental in taking a legislative mandate, and through multiple attempts, refine processes and practices that have taken shape across the federal government. However, there is still a great deal of work to be done to provide the assurance needed for federal agencies and contractors hosting federal information and information systems to sustain a measurable security posture that can be monitored more effectively and efficiently.
I would not consider FISMA in itself to be a failure, but instead believe the major weaknesses that exist are tied to the lack of a baseline set of measurements that can be used to show measurable improvements. According to the Office of Management and Budget (OMB) 2009 IT Budget Summaries, IT security spending could see an effective increase of at least 10.3 percent from the actual 2008 budget, which would mean agencies need to have better parameters for demonstrating where failures exist when a D or F rating is given on the Computer Security Report Card.
IT security is not an exact science because not all environmental characteristics that affect security can be completely relieved of risk. Management of the risk requires proven measurements to demonsrate security can be adequately managed, if properly planned and implemented. This could also help to provide assurance to senior leaders within these federal government, that if funding was properly allocated to support IT security requirements, there is some direct relationship to meeting security goals. Without a platform to capture these performance measurements, security will only be an increasing spiral of cost with no tie-back to a return-on-investment.