And then there were two. <a href="http://www.nextgov.com/nextgov/ng_20100519_6677.php?oref=topnews">NASA</a> suspended its C&A activity for existing systems, joining the State Department in pushing forward continuous monitoring and starting what might become a domino effect. But is it right for individual agencies to be setting the tone like this? Moreover, if each agency pushes forward with <a href="http://cybersecurityreport.nextgov.com/2010/04/white_house_heroes.php">OMB's CyberScope</a> initiatives and an interpretation on how they relate to FISMA, will the country benefit from multiple models, or will it suffer from fractured leadership?
And then there were two. NASA suspended its C&A activity for existing systems, joining the State Department in pushing forward continuous monitoring and starting what might become a domino effect. But is it right for individual agencies to be setting the tone like this? Moreover, if each agency pushes forward with OMB's CyberScope initiatives and an interpretation on how they relate to FISMA, will the country benefit from multiple models, or will it suffer from fractured leadership?
The issue most certainly is not with continuous monitoring or CyberScope, but just how far agencies can pull back on C&A and FISMA. The law is still the law, and without unified leadership from Congress and the White House, agencies can still play coy. Or set their own guidelines, which in my book hardly ever turns out well.
Congress has to step up to the plate and knock in the runner here. As long as agencies have a directive to continue C&A in any capacity, they'll likely do it. There's only so much political cover the White House and federal Chief Information Officer Vivek Kundra can provide before the law has to change. A bill was introduced in the House, and word on the street is Sen. Thomas R. Carper, D-Del., will introduce his own FISMA rewrite very soon.