5 ways FISMA reform will bolster federal security practices

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.govhealthit.com/news/5-ways-fisma-reform-will-bolster-federal-security-practices

The Federal Information Security Modernization Act (FISMA), passed this
month and expected to be signed by President Obama before year’s end, aims
to bring cybersecurity into the 21st century.

FISMA, updates the Federal Information Security Management Act of 2002,
promises to give Federal employees, including those working in
health-centric agencies such as Health and Human Services, more up-to-date
IT tools to diagnose and improve security.

At its passage in 2002, the first FISMA seemed like a cutting-edge reaction
to the needs for economic and national security interests of the U.S.,
requiring federal agencies to develop and document programs to secure their
information and systems.

That was then and this is now — a new era of Chinese cyberthreats, massive
security retail store breaches where millions of customer identities get
stolen, and the penetration and defacement of government websites on a
semi-regular basis.

Over the years, instead of being viewed as a protector of information from
the bad guys, FISMA came to be viewed as an outdated checklist-driven
process that forced workers to fill binders with risk assessment paperwork
to little effect and great cost.

The updated FISMA promises to change the way security is developed and
managed in federal government, enabling and pushing agencies to take a
proactive approach to information security. Meritalk, an online community
focused on government IT, has listed 5 ways FISMA will affect federal
government IT workers’ jobs:

1. Less paper-trails: The updated FISMA will compel agencies to replace
cumbersome, time-consuming annual checklists with continuous systems
monitoring to assure proper security measures.

2. Every data breach must be reported: Agencies must now report information
breaches on Federal systems to Congress. With such oversight organizations
will be forced to better understand breaches and make it harder to sweep
them under the rug.

3. New reforms can come at a faster pace: With FISMA, OMB and the White
House won't need to act in a piecemeal fashion to grant DHS the authority
to assure the security of Federal civilian agencies. The reform will retain
the White House and OMB’s overall jurisdiction over Federal government IT
security. This allows for sweeping changes that could disrupt agency
operations more rapidly than in past years.

4. Greater autonomy, adaptability: Agencies can procure and implement
best-of-breed technologies that suit their individual goals. Lawmakers
recognized “that the selection of specific technical hardware and software
information security solutions should be left to individual agencies from
among commercially developed products.”

5. Agencies will carry a heavier burden: "It forces them to act rather than
just to sit on their heinies," said Alan Paller, founder of the SANS
Institute who has long pushed for a change to FISMA, in a Politico report.

No doubt, as new cyberthreats will present security problems thus far
unanticipated, federal information security managers will look to the
updated FISMA for resources and ideas to head them off.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!