A FISMA Alternative -- Finally

After years of calling for an alternative to the Federal Information Security Management Act of 2002, one may have been proposed -- or at least the start of one. As Nextgov reported today, Rep. Jim Langevin, D-R.I., introduced the 2008 Homeland Security Network Defense and Accountability Act. generally, the knock against FISMA is that it measures processes not results. For example, good FISMA compliance requires providing training for "employees with significant security responsibilities," but nowhere does it require the agency to test how much the employees learned or retained form the training. With FISMA, agencies aren't sure how good or bad their security vulnerabilities are because FISMA doesn't test for them.

Langevin's bill takes a stab at measuring actual security results, at least for the Homeland Security Department, and, for what some security experts hope, could be governmentwide. The key to the bill is requiring DHS to test if it can successfully defend its networks against known cyberattacks and to conduct vulnerability testing. The bill would have DHS measure what is actually happening on the ground and defending itself against what are real threats.