Previously, FISMA reporting consisted of extensive documentation, and the problems with this approach were many.
It took a great deal of time and effort to compile the reporting packages. Few organizations truly believed that their documentation would be reviewed. But the biggest problem was more fundamental: these documents were ineffective in promoting the security of agencies and businesses, because they only looked backward.
Even if FISMA compliance reporting revealed a security vulnerability, it was likely to be too late – and the security landscape was likely to have changed in the meantime. This backward-looking documentation spoke only to a single moment in time. In order to truly improve security controls, organizations needed to better understand their ongoing security realities.
For this reason, FISMA has been updated to replace the old onerous documentation process with a continuous monitoring approach. This way, agencies and businesses will monitor and assess key performance indicators (or KPIs) on an ongoing basis. The KPIs will function as the metrics of an organization’s security success, making FISMA reporting a much more accurate and automated process.
Now, FISMA compliance is a matter of real-time data, and it should be much more meaningful for covered organizations. But there are steps which every business and agency should take to ensure that their continuous monitoring is as effective as possible.