FISMA: Wrong Approach to Information Security

When the Congress attempts to regulate behavior or dictate outcomes within or beyond the republic, it has few effective tools for direct control. Making an activity illegal does not stop the activity; it just changes the risk-reward calculus for anyone contemplating such an act. Rewarding certain economic choices with favorable tax treatment nudges the economy in certain directions (not always those wished for by the tax tinkerers).

The Federal Information Security Management Act (FISMA) is a wonderful example of Congress and the executive branch using blunt tools to bludgeon reality into a new path. The problem is clear: FedWorld doesn’t do a world class job of protecting sensitive information on either side of the Potomac. But the congressional response was to institute annual reporting, to empower (but not fund) inspectors general to provide independent assessments of the basis of such reports and to empower (but not fund) the National Institute of Standards and Technology (NIST) to develop standards for non-classified information.