Yesterday, I said that the recent survey about FISMA failure is horse shit. I stand by that claim and will now add more.
The only thing this report says is that their process is too focused on compliance and they wish they had more money. When is the last time that you talked to someone where they didn't wish they had more money for their program? Whatever the program was. "I wish I had more money for building my space station" or "If I had another $2 million dollars, I could get something with red blinking lights instead of blue blinking lights."
This survey has had it's effect, we're talking about FISMA. The failure does not lie in the law though. I see and hear about the failures every day. Management buy-in is lacking, risks ignored, security bolt-ones at the end of the project, or security isn't keeping up with technology. I think that just about everyone in this industry could say all the same things. And they don't have a law to tell them they have to do it. A lot of organizations have no prevailing regulatory requirement to follow and those security folks have to get more done with much less than the government provides to a lot of agencies.
One of the slides said that nation-states were attacking the government systems all the time. Whatever, everyone is getting attacked by nation-states.
A different slide said that users were their problem and they didn't have enough training budget. To this, I refer you back two paragraphs where virtually every CISO/ISSO complains about this.
I said on the Southern Fried Security podcast FISMA episode that FISMA improved Federal government security. Anyone that can prove other wise please step forward. Because when FISMA was passed many agencies were lucky to have a firewall and anti-virus. Let alone web application firewalls, intrusion detection systems and pen tests. No one was training users on security awareness on a regular basis (not for the places I was working for anyway).
In the end, FISMA leaves the implementation of policy to the agencies. That policy should be based on 800-53. If you need help, I am here for you.
That is all.