The law is there, it’s very sound. I have one small adjustment (performance/compliance-based to strategic direction, see some of my other blog posts on FISMA) I think I would like to suggest but I need to think about it some more.

The framework is there, it’s one of the best, is scalable, and is completely free.

“Real security or paperwork drill” comes down to one single criterion: what kind of people you have hired and what kind of skills do they have.

The problem is the people who execute. Not the CISOs, as a whole they are some of the brightest people I’ve ever met. It’s in their staffs, there aren’t enough good people to go around.

To quote Dan Geer in his April 2007 testimony to the Thompson committe: “Because the demands for expertise so outstrip the supply, the fraction of all practitioners who are charlatans is rising.”

If you were to take away FISMA and replace it with the SANSFramework, you would get exactly the same results because it would be exactly the same people doing it.

Until we as an industry can figure out how to suddenly make thousands of people become “clueful” overnight, we will continue to make steady plodding progress forward but continue to spend heavily and not progress as rapidly as we should.

This is the challenge we deal with in Government: how do we do all of the following:
-Provide cost-effective security
-Assure compliance with all applicable laws and national-level policies
-Deal with the IT and security industries as a downstream consumer when they aren’t meeting our needs
-Deal with the shortage of good IT security staff
-Manage the Legislative branch who do not understand the problem at hand
-Work within a budget cycle that takes 2 years before funds are available for large capital expenses

When you figure out an answer, let me know. =)