Since the adoption of the Federal Information Security Act (FISMA) in 2002, its provisions around managing the IT security of Federal information systems have been adopted beyond the Federal government. The reasons for this vary; for example over 50% of state governments in the U.S. have adopted FISMA as a standard for information security (the other 50% use the ISO framework). Why have so many organizations moved toward FISMA? The Federal government has come up with what it considers to be the best approach to ensuring that sensitive government systems and data are secure. Consider for a moment the type and amount of data that the government holds, including Social Security records, tax records, health information (the Veterans Administration, Medicare/Medicaid), even banking and finance records (through supervision of the banking industry). The list goes on and on, and does not even take into account military and national security information, which have their own Information Assurance regulations.
With all of this sensitive personal information, the potential data loss can affect the health and safety of everyone in the country. This being the case, the presumption is that the Information Security mandated by the U.S. government for its own systems should suffice for state governments and other public sector entities that often follow Federal regulations as a best practice.
In addition to public sector entities, there are entire industries of Federal contractors that also manage government systems and information. These include insurance companies that process Medicare claims, and a number of other outsourcers who manage federal systems, such as Lockheed Martin, Northrop Grumman, SAIC, and BAE Systems. All of these organizations and entities must comply with FISMA, Department of Defense regulations (for military contractors), and Federal Privacy regulations such as HIPAA for those that deal with or manage protected health information.
For non-governmental entities like these that must comply with Federal regulations, maintaining compliance with all the regulations that they are subject to as private entities with federal contracts can be a complex, burdensome task. GRC practitioners in these organizations often struggle to balance the many overlapping tasks that such a complex compliance environment often creates. Many of these organizations have come to look at the larger picture, realizing that their compliance environment can be rationalized to a certain extent by mapping the similarities and overlap across multiple regulations into a compliance framework for their organization. The advantages of a compliance framework are many, but one of the most critical is that it serves as a central repository for all of an organization’s regulatory information. Centralization alone can identify numerous overlapping and redundant controls that can be eliminated, leading to immediate reduction in the cost of managing compliance initiatives.
There are many other benefits to managing your compliance with a centralized framework. As Federal regulations change, become more complex, and increase their scope to greater areas of the private sector, this will be an important guiding principle for GRC practitioners to keep in mind.
The benefits and adoption of a centralized repository have been taken into account recently by the Federal Government, which recently announced the CyberScope initiative for FISMA reporting (read a good recap of this news here). CyberScope is basically a central repository, with a standard interface, for agencies to enter their required FISMA reports to the Office of Management and Budget (OMB) -- the management arm of the Whitehouse. CyberScope will help streamline agency FISMA reporting by mandating a standard interface and format for entering FISMA data. The OMB will then provide this data via reports to other agencies, as well as publically as called for by FISMA. By providing public oversight of agency cybersecurity efforts, CyberScope is a critical piece of the overall Federal IT picture, and one that will have a profound impact on the GRC industry.