Posted on Friday, May 30th, 2008 at 12:23 pm
Critics question value of federal IT security report card
IDG News
The big problem, according to Paller and other critics, is that FISMA doesn’t require agencies to actually demonstrate that they have effectively implemented the mandated controls, thus bolstering their IT security. For instance, an agency that can show it has a security awareness training program in place is deemed to be compliant with that requirement, even if no employees have received any actual training, Paller said.
Gartner Inc. analyst John Pescatore said that FISMA has succeeded to a large extent in focusing attention on cybersecurity issues governmentwide. “At least it’s forcing government agencies to publicly state how well they’re doing with security,” he noted. “Where are the grades for private industry?” But as with numerous other government initiatives, FISMA has become too “paperbound” and too heavily focused on process issues, Pescatore said.
Full Story
