But I am fairly certain that someone said, "Go write something about FISMA." For me, it is additional aggravation. Why? Let me tell you.
They ask the same people the same questions every time expecting a different result. Albert Einstein said it best.
FISMA is a paperwork drill at a minimum, when properly applied it can actually benefit the organization. Like most things you reap what you sow. If you believe it is a paperwork drill, then that is what you get. If you believe that value can be driven by:
- requiring a set of controls be implemented;
- testing against that set of controls;
- identifying risks based on a control's lack of implementation;
- strengthen the controls now that you know the risks;
- tracking residual risks throughout the life cycle of the system.
Then, you perhaps may see some return.
My opinion is that those who think that a paperwork drill is sufficient should consider changing their tune, because it won't be long before someone expects a real risk management.
Think 800-60 is to FIPS 199 and 800-53 is to FIPS 200 as 800-39 is to ...?