Problems with FISMA
Alan Paller summed up the problems with FISMA when he said, "FISMA wasn’t written badly, but the measuring system they are using is broken. What we measure now is, ’Do you have a plan?’ Not whether the plan actually improves security."
I agree with him that the metrics for FISMA are wrong. FISMA is about compliance, not security. Whether an agency gets an A or a D on its FISMA report card doesn’t tell us whether its systems are vulnerable to attack. It tells us only how well it has met FISMA reporting requirements.
I’m not saying there’s no correlation between the FISMA grade and the security posture of an organization; I’m saying the grade is, at best, misleading.