Carter Hendrick
Old Dominion University School of Cybersecurity
CYSE 425W: Cyber Strategy and Policy
Teresa Duvall
12/1/2024
How effective is FISMA
FISMA is an important organizational piece that has been in place since 2002 and has continued to be updated as the modernization of the United States information security foundations. FISMA elaborates on the responsibilities of the government and government contractors under the proper roles to ensure there are regular checks for FISMA compliance so that information security within the government is secure. This works with a FISMA checklist produced by NIST that is checked for compliance to that list. This is an effective strategy because it is a hard line in the sand for the level of security that is always upheld within the government. Even if a breach were to happen, it would be easily tracked back to the attacker and handled from there.
FISMA organization of resources.
FISMA works hand in hand with the national cyber strategy of the United States. The national cyber strategy may outline the actions taken for defense, FISMA is a big actor in keeping all government groups, government contractors, and important individuals, from doing anything that would compromise information. The organization that FISMA displays makes it so anyone related to the government in any way will receive penalties if they are not up to standard (CISA). Government agencies and other companies with government contracts have many penalties to keep them on track for compliance to keep the effectiveness of the policy. These penalties range from increased audits to reparation fees if the company was the direct cause of an information breach (porter). Despite these penalties, in 2022 preliminary tests of implementing FISMA showed that there were inconsistencies (GAO). Looking through the statistics, 17 out of 23 civilian agencies did not hit their cybersecurity goals, and inspectors reported ineffective programs (GAO). These points show that even though the policy seems solid, getting people to follow it is more difficult than it seems.
How Can the Government Better Implement FISMA
It can be seen through statistics that the implementation of FISMA has not been going as planned. This could be delt with through a few different solutions. Part of the issue could be that the civilian agencies do not feel as if they need to follow compliance with the FISMA policy. There may need to be a renewal of certain contracts stating that companies cannot work and will not have access to government information and funding if they are not FISMA compliant by a certain time. These issues of following compliance need to be solved quickly due to the many cyberattacks always happening in the United States. Civilian agencies need to understand that there is not wiggle room for these policies.
Conclusion
The realistic effectiveness of FISMA is not perfect, the communication between the government and the civilian agencies working with them needs to be clear on the issues that will arise if FISMA is not followed. The world is now in an ongoing information war and there is no room to let negligence allow American adversaries gain the upper hand.
Works Cited:
- CISA. (n.d.). Federal Information Security Modernization Act: CISA. Cybersecurity and Infrastructure Security Agency CISA. https://www.cisa.gov/topics/cyber-threats-and-advisories/federal-information-security-modernization-act
- Office, U. S. G. A. (2022, February 8). Cybersecurity: Preliminary results show that agencies’ implementation of FISMA requirements was inconsistent. Cybersecurity: Preliminary Results Show That Agencies’ Implementation of FISMA Requirements Was Inconsistent | U.S. GAO. https://www.gao.gov/products/gao-22-105637
- Porter, A. (2024, September 19). FISMA Compliance made simple: A comprehensive guide. BigID. https://bigid.com/blog/fisma-compliance/