Security experts fault FISMA paperwork

After five years in which federal agencies have been graded on their compliance with security laws, some former federal security officials question the meaning of the annual security grades.

“High grades could mean a lot of compliance but not necessarily a lot of security,” said Bruce Brody, vice president of information security at Input, the market research firm.

Brody, a former cybersecurity official at the Energy and Veterans Affairs departments, said he observed agencies creating lots of paperwork to achieve compliance with the Federal Information Security Management Act of 2002. But that paperwork was not always connected to underlying security fixes, he added. “You really have to ask yourself what has five years of FISMA given to us?”

Speaking Feb. 22 in Washington, D.C., following a security workshop, Brody said it would be helpful if the Office of Management and Budget would recognize technically based security processes in which agencies continuously scan their systems and networks and maintain audit logs. “That process could replace an inordinate amount of paper that is generated right now on certification and accreditation,” Brody said.

Lynn McNulty, director of government affairs at the International Information Systems Security Certification Consortium, said the information security programs at most U.S. businesses require far less paperwork than those in federal agencies. But important similarities exist, he added. In businesses and in federal agencies, chief information security officers “are fighting for resources, fighting for management attention and management support,” he said.

The Information Security Forum, the International Information Systems Security Certification Consortium and Input sponsored the workshop.


  • Workforce
    Avril Haines testifies SSCI Jan. 19, 2021

    Haines looks to restore IC workforce morale

    If confirmed, Avril Haines says that one of her top priorities as the Director of National Intelligence will be "institutional" issues, like renewing public trust in the intelligence community and improving workforce morale.

  • Defense
    laptop cloud concept (Andrey Suslov/

    Telework, BYOD and DEOS

    Telework made the idea of bringing your own device a top priority as the Defense Information Systems Agency begins transitioning to a permanent version of the commercial virtual remote environment.

Stay Connected