I think FISMA and its predecessor GISRA have served their purpose and lived out their usefulness. These programs have helped to raise security awareness across government agencies. This has been of great benefit.
I believe however, that it’s time for a new security initiative with new goals. There needs to be a shift from reporting and "checking the box" to a risk-based approach to security management.
There also needs to be proper prioritization of security initiatives, both within each organization and also at the higher levels of government pushing down new initiatives (such as OMB).
The metrics by which we measure the need to change from compliance to risk management, and the process by which we measure and report, need to be modified to reduce the workload placed on the agencies so they can focus on "real" security.