FISMA in the Private Sector: Does it Make Sense?

I've been watching the FISMA and cyber security space closely the past few months, which you probably know if you've seen some of my previous posts on the topic.

I’ve been watching the FISMA and cyber security space closely the past few months, which you probably know if you’ve seen some of my previous posts on the topic. There has been a fair amount of discussion more recently in the blogosphere regarding FISMA; particularly focused on the extension of government IT security regulations such as FISMA into private industry.

There are several factors driving this discussion. A number of proposed regulations have been floated recently that extend Federal power over cyber security and the Internet in general. Some of the proposals include a national coordinator for Cyber Strategy, aka the “Cyber Security Czar.” Some regulations focused both on financial oversight and cyber security will extend their reach beyond the government to private industry in general. Based on a brief review of the conversation in the marketplace, there appears to be a fair amount of concern regarding the cost, effectiveness and scope of proposed changes to cyber regulations that apply to industry.

Posts on the Security and Architecture blog and Government Health IT discuss FISMA and the likelihood of the adoption of Federal security requirements for private industry in order to participate in the government health industry exchange. The scope of this plan, basically extending the provisions of FISMA to the entire healthcare industry, has generated a lot of concern. In addition to huge cost involved in the private sector to roll out new processes, tools, etc. to comply, there are concerns that FISMA-based determinations of compliance are largely subjective, and that there are no penalties identified in the current iterations of the FISMA guidance for any breaches or non-compliance. This last issue of course may change with the new cyber legislation being considered, but there has been widespread criticism of FISMA as a “paper exercise.”

Andrew Jaquith recently posted a topic on “Will Obama’s New Cyber-Security Plan Make a Difference? We Can Only Hope.” In the post he talks about FISMA, and how it ultimately results in developing processes and managing compliance, not in providing insight into how secure the supposedly protected systems actually are. He also covers the results of the Government-wide policy review of cyberspace, including its recommendations. He expects private industry to see little immediate impact, but to expect further efforts around information sharing and incident response.

On this last point, much has been made of the presidential “Internet kill switch,” as defined in the updated Cybersecurity Act of 2009 show. This is a new provision to allow the President to respond to a cyberattack by ordering the shutdown of private networks. The original proposal would give the President the authority to declare a “cyber emergency’ and order the limitation or shutdown of various networks.

On his Backspin blog, Mark Gibbs tackles this topic – discussing if the kill switch is possible, and whether it’s advisable for the government to have this level of control. It’s a good read, giving us many things to think about in the coming months as new legislation is finalized.

Of course, much of this may be speculation. The Cybersecurity Act of 2009 is still under debate and actively being amended. In addition to the Internet kill switch, law makers are also considering a government credential for IT security professionals, and defining the authority of the as-yet-unfilled Government Cybersecurity czar. Once this position has been filled, this person’s responsibilities will include defining cyber-strategy and driving government security mandates, both current and proposed.

Why is this important for GRC practitioners? If you’re not paying attention to these issues and potential legislation, you should be. As security and compliance become more aligned in the enterprise, GRC experts will undoubtedly find themselves on the front lines of both Federal and private industry cybersecurity efforts.

Written by

CA Community

CA Community is the blog manager’s account used to post general updates and news items.

Published in


View this topic
  • James Holland

    This is great. Hooray for Disney’s imagineers!

    become a new brand in the share market research with its accurate research. Proven
    itself always right whether market is bull or bear. Last week all paid clients
    booked handsome profit in NIFTY, BANKINIFTY & STOCKS. Now for the coming
    week we expect more correction can come in NIFTY as the IRAQ issue is getting
    more tense, If it happens more then you will see a sharp fall in all world marketNSE BSE, STOCK TIPSbecause as we know all world run on
    crude & most of the crude comes from IRAQ. So be ready for a sharp fall so
    sell will be the best strategy for next week also. Traders can make a sell
    position in NIFTY around 7600-7650 with stoploss 7750 for the target of
    7300-7200.One can also make a sell call NIFTY 50 stocks as per NIFTY levels. You
    can also take our two days free trial to check our accuracy. For further updates
    you can visit our website.



  • king lear

    testing comment functionality, please do not publish this

  • Love the personal pic 🙂

    • CAHighlight

      Thank you!

  • Plutora Inc

    This is a good case study. 2.3 sec’s off a login transaction is big.

  • While the analysts were hyping DevOps, I posted the oversight of not including security as part of that discussion as you are highlighting here. Instead of just talking DevOps, it should be DOS (what’s old is new again 🙂 – DevOpsSec. As a previous AppDev person, it’s the app, who’s using it, why and where rather than the device and having the service available.

    As you rightly point, out Security should be baked into the solution.

    Nice Post and Timely!


    • CAHighlight

      Thank you for your feedback Michele. Agreed – security cannot be overlooked. Appreciate your input!

  • Mitesh

    I would love a printed copy

  • Lars Johansson

    I love the idea of BYOID! This makes me choose if I am almost anonymous (with my Hotmail Nicname) or official with identity from an official organisation. My Identity Provider will attach identity with right level of LoA according to the need of the Service provider.

    • CAHighlight

      Thank you for your comment. BYOID has tangible benefits for end users and relying parties but it also has to be weighed in the balance with potential risks and liability concerns. It will be interesting to see how BYOID plays out in the enterprise.