New FISMA looks a lot like old FISMA, survey finds

[InfoSec News <alerts () infosecnews org>]

http://gcn.com/articles/2012/09/13/datapoint-federal-it-security-survey.aspx

By William Jackson
GCN.com
Sept 13, 2012

The most common concern for federal IT security professionals is 
regulatory compliance, according to nCircle’s recently released 2012 
Federal Information Security Initiatives Trend Study.

The results indicate misplaced priorities, said Karen Cummins, nCircle’s 
director of federal markets. “If you pick compliance, that suggests 
we’re a little out of balance,” she said. Agencies are expected to have 
risk-based security policies and controls in place to help counter the 
growing threat of online attacks. But despite changes in the way the 
Federal Information Security Management Act is being implemented, 
success still is being measured by reporting rather than by results.

The Homeland Security Department has been given primary responsibility 
for overseeing FISMA and the emphasis has shifted from periodic 
assessment to continuous monitoring of IT systems. And “continuous 
monitoring” is being replaced by the term “continuous diagnostics and 
mitigation,” which Cummins said better reflects the goals of the 
program. This is to be enabled by automated data streams, which are fed 
to DHS through its Cyberscope reporting system.

Automated data streams can be powerful tools for risk remediation, but 
what is being measured is the ability to report the data to DHS rather 
than its use within an agency. As a result, “the new FISMA looks a lot 
like the old FISMA,” Cummins said.

[...]

--
#HITB2012KUL - The 10TH ANNUAL HITB Security Conference in Malaysia
with no keynotes, no labs - just three tracks filled with our most
popular speakers from the last decade: http://conference.hitb.org/