The essence of it being that FISMA is a failure (still) and government doesn't know how to secure a rowboat let alone the vast number of systems in existence. Also that
No information security program is perfect, and based on this article many think that they are going to improve their programs simply because of continuous monitoring. Wrong.
The continuous monitoring needs to effective. Not lip service. Many agencies are hindered by congressional budget wrangling in the form of sequestration and other stupidity. They are further hindered by grand standing and empire building. The thing that seems to be lost is that they probably could do better if someone wasn't telling them they only need
The title of the article states that they can do better. But most of the time, it's the basics that are failing agencies.
What you need:
- Get a decent policy document together based on 800-53 Rev 4 (this includes tailoring and filling out all the little spots you are supposed to);
- Assess your risks and not just your policy violations or exceptions;
- Centralize what you can (if you're a big agency or department, why not use the economics of scale? i.e. IR, Media Management, Asset Management, other less sexy things);
- Plan, Plan, Plan;
- Train, Train, Train;
- Scan, Scan, Scan;
- Patch, Patch, Patch;
- Watch your logs; and finally
- Accept your failures and learn from them.
The article alluded to some of this. But if you have a decent program then your compliance will happen.
That is all.