Thursday, May 29, 2008

FISMA Report Card

I know that I am late on this one, but I have been busy. Just for a brief moment let's consider the point of these report cards and from where they come.

My personal feeling is that the report card means nothing and says even less. They apply an arbitrary metric to an ambiguous reporting mechanism. Any agency could have the best, most secure systems. If they don't report on it correctly, they can still fail. This also means that if the people performing the reporting are not trained correctly they can fail. Lastly, those who know how to report can pass without necessarily having secure systems.

Someone told me recently that the intent of this is to: a) make Congress feel good about doing something productive and b) inspire agency competition for success.

Sorry I am so negative on this, but again there is an "end of project requirements mismatch discovery". OMB, NIST and others recognize that good information systems security comes from well written policy and superior risk management. When others will tell try to sell IDPS, firewalls and log management platforms as solutions to your FISMA problems.

This report card reinforces an over simplified view of how easy/hard it is to secure an enterprise.

No comments: