Time for a Big-Time FISMA Rewrite

Just for the sake of discussion…

I am thinking that the 2002 Federal Information Security Act may need to be updated in a big way.

With all the security initiatives now out there and the growing awareness of how vulnerable everyone is to attacks, I am not convinced that compliance by federal government departments with the current expectations under FISMA will result in the security posture we all desire.

Here’s the rub as I see it. Technology architectures, solutions and ownership seem to have outstripped the policy and procedural boundaries to which we have been accustomed. Examples: