Compliance Is Not Security
Substantial attention has been focused on the Federal Information Security Management Act (FISMA) and the government security "report cards"—so much so that we tend to forget the goal is not to measure actual security. FISMA is only meant to measure compliance. Getting an A on your FISMA report doesn't necessarily mean that your systems are secure. It merely means that the systems comply with government standards.
Standards and compliance are not bad things, but it's my opinion that FISMA has become quite a paper chase. Much time and effort are spent on implementing security controls, evaluating the controls to ensure they are implemented properly, then reporting on those results... Well, there's not much time left for real security efforts.
I'm not against these efforts; I just hope they will eventually find their proper place and perspective within the government. Certainly the efforts of ISAP in developing not only the controls and standards, but the tools for measuring compliance to these standards, could lead to a reduction in the effort needed to manage the implementation and reporting.