Depending on who you talk to, the Federal Information Security Management Act (FISMA) is either the greatest thing in the world or a government bureaucratic mess. Is FISMA coming soon to a state or local government near you? Isn’t the first word “Federal?”A few things are clear:1) FISMA compliance has posed significant challenges for federal agencies. Hundreds of articles have been written about FISMA compliance, the infamous report cards – where eight agencies, including the departments of Defense, State and Homeland Security, received failing F grades, and another five agencies received grades between D+ and D-. Seven agencies, including the Department of Labor and the Social Security Administration, received grades of A- or better.2) State and local governments receive a large percentage of their IT dollars from the feds. In Michigan, approximately 60% of our IT budget comes from the federal government. Some states get more, some less, but the dollars are huge. 3) There has been no formal OMB decision (that I am aware of) on whether state agencies must comply with FISMA security requirements for systems that receive federal information or dollars. 4) While state and local governments can separate out federal from non-federal systems as far as compliance goes, it’s very difficult when systems are so interconnected. Many of the compliance directives deal with networks and even such areas as privacy on websites. Most locals are trying to move away for stovepipes for efficiency reasons. 5) Federal auditors are showing up in the states now. They are often interpreting FISMA guidance as proof that state systems that are acting as custodians of federal information and/or receiving federal dollars must comply. Questions arise around how fully…6) I suspect that this will be tested formally by some state or local government at some point and viewed as an unfunded mandate.In the meantime, I’d advise state and local IT professionals to at least start reading up on FISMA. You can also start to get that security wording into new contracts where you are custodians of federal data and receive federal dollars. Bottom line, stay tuned. This show is just beginning – and I expect multiple episodes. I also value your comments. What’s your viewpoint? Related content opinion 3 security career lessons from 'Back to the Future' You don't need to be able to predict the future to have a successful security career, but you had darned well better be able to learn from the past. By Dan Lohrmann Jan 12, 2021 6 mins Careers Security interview Secrets of industry-hopping CSOs Who says you can't change industries? Veteran security leaders Mark Weatherford and Cheri McGuire teach you how it’s done. By Dan Lohrmann Mar 02, 2020 12 mins Careers Security opinion Why security pros are addicted to FUD and what you can do about it Despite professing anti-FUD rhetoric, cyber experts fan the flames, breathlessly sharing the details of the latest data breaches. It's a risky addiction that can lead to security apathy in enterprises. Here's how to harness it. By Dan Lohrmann Sep 06, 2018 7 mins Security opinion Bridging the smart cities security divide There are plenty of organizations that seem to be working on answers to secure smart cities, but in many ways it's like the early days of cloud computing with everyone building their own solutions. By Dan Lohrmann Feb 01, 2018 6 mins Internet of Things Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe