Where Do We Go From Here?
Obviously, technology will continue to grow and evolve. Does this mean we'll need new scanning tools every time a new technology arrives? I certainly hope not. I can't hope to predict the future, so I'm not going to attempt it here. Ideally, the evaluation techniques can be consolidated in some way; otherwise, the tools will become as unmanageable as the technology.
The goals of FISMA and all the guidance from NIST are good efforts at easing the burden of security management, but they do not in themselves constitute security. I think the goals of FISMA and NIST need to evolve together with the technology. I also think these goals should develop along with the performance of the agencies they are meant to assist and support. FISMA has succeeded in raising awareness across the government but unfortunately now causes more problems than it resolves. Agencies spend countless hours preparing for their next FISMA reporting period, dotting their i's and crossing their t's. I acknowledge the need for accountability, but there must be a better way.