A recent article concerning how to reform the Federal Information Security Management Act without enacting new legislation caught my attention. This approach disregards the inadequacies of the FISMA legislation and adds naively considered processes to the mountain of processes that clog the agencies’ security arteries. CIOs and CISOs are not authorized to gather this knowledge, because FisMA tragically botched governance, he says. By using the word “ensure” instead of “enforce” as in the “CIO shall ensure compliance with the act” FISma gave no authority to the CIO or the CISO.”]
Source: https://www.bankinfosecurity.com/blogs/questioning-fisma-reform-without-new-law-p-1445