This month the federal government launched a new online FISMA reporting application, CyberScope, based on the Justice Department's Cyber Security Assessment and Management (CSAM) system, which was already offering FISMA reporting services to other agencies through the Information Systems Security Line of Business initiative. As noted in a recent interview with federal CIO Vivek Kundra, the initial intent of CyberScope is to replace the heavy reliance on electronic documents submitted as email attachments with a centrally managed, access controlled repository. Kundra has also noted that he (along with Sen. Tom Carper and many others in Congress) would like to help move agency information security management away from emphasizing compliance and towards continuous monitoring and situational awareness. With any luck the use of online reporting will evolve to make the FISMA reporting process more automated and less onerous for agencies, while the content and emphasis of the FISMA reporting requirements continue to be revised and, hopefully, improved. As long as agencies are still reporting the same information under FISMA requirements, having a better mechanism to support that reporting won't do anything to address FISMA's shortcomings, particularly its failure to address ongoing assessment of the effectiveness of security controls implemented by federal agencies.
Over the past couple of years, NIST has made a renewed push to get federal agencies to apply consistent risk management practices to their information security management decisions. This is a worthwhile goal, but as the authority designated to establish federal agency security standards, NIST itself frustrates efforts to manage security in a risk-based manner by requiring extensive security controls for information systems based not on the specific risk profile of the system, but instead by a broad low-moderate-high security categorization system. The practice of requiring the same set of controls for all systems categorized as "moderate," for instance, suggests that the risks associated with all "moderate" systems is the same. This is a false assumption that violates one of the fundamental principles of information security management, which says that assets like systems and data should be protected to a level commensurate with their value, and should be protected only as long as the assets are still of value. This principle of "adequate protection," while less simple to implement in practice than it sounds in theory, is nonetheless a sensible approach for organizations trying to allocate their security resources in and effective manner. The goal of following system-level risk management practices demands an approach that differs from the "one size fits most" control requirement used in current federal guidance.