Don't be too quick to dismiss FISMA

Don't be too quick to dismiss FISMA
Don't be too quick to dismiss FISMA 

By William Jackson
July 12, 2010

The Federal Information Security Management Act has become the whipping 
boy for security vendors, chief information security officers and 
legislators, but we should not be too eager to abandon it, says a 
leading security researcher at the National Institute of Standards and 

"We tend to want to make 'compliance' a bad word today," said NIST 
senior computer scientist Ron Ross. But regulatory compliance does not 
have to be a static checklist, and it is part of effective risk 
management, he said.

If the regulations are fundamentally sound and adaptable, they can 
evolve to address a rapidly changing security environment, and that is 
what is happening with FISMA, he said. "The fundamental reforms already 
are ongoing, coming from grass-roots activities," not from policy or 
legislative changes, Ross said.

As the head of NIST's FISMA implementation program, Ross, who spoke 
recently about changes in cybersecurity requirements at a forum hosted 
by InformationWeek, is hardly a disinterested observer. Since the 
passage of FISMA in 2002, a great deal of the resources of NIST's 
Computer Security Division have gone to creating standards, 
recommendations and guidelines on how to achieve compliance. That body 
of work has been praised as one of the accomplishments of FISMA while at 
the same time condemned as overly comprehensive and prescriptive.


Attend Black Hat USA 2010, hosted at Caesars Palace in Las Vegas, Nevada
July 24-29th, offering over 60 training sessions and 11 tracks of Briefings
from security industry elite. To sign up visit 

Site design & layout copyright © 1986-2015 CodeGods