Still others feel the burden of multiple, independent, overlapping and/or redundant compliance regulations applicable to an organization, such as HIPAA, FISMA and others. They argue there needs to be a converged security and compliance strategy to minimize overlap and redundancy.
Some feel that periodically demonstrating compliance to regulations is overly complex and time-consuming thereby leaving less time to focus on an organization's missions. In part to address such concerns, an updated version of NIST's SP 800-37 Certification and Accreditation (C&A) Guidelines will refocus C&A from a periodic, one-time event to a more continuous process. Furthermore, new helpful technologies, such as continuous file integrity monitoring (see for example the white paper on "Continuous File Integrity Monitoring with Minimal System Impact and No Repeat Scans" from McAfee), are emerging to facilitate a shift from point-compliance testing to continuous compliance assurance.
Some believe that certain agencies may use FISMA – and by indirection SP 800-53 – as a paperwork exercise just to fill out FISMA reporting documents due to the OMB rather than to verify or to improve information assurance. They also feel there should be detailed metrics for measuring the readiness and effectiveness of an organization's security program on an ongoing basis.
This begs the question as to whether there is an over reliance on compliance just for the sake of compliance. The credibility issue of using compliance to guarantee security has been elevated given risks that were recently revealed in the financial industries and electric industries. Some systems were deemed compliant to the Payment Card Industry Data Security Standard (PCI DSS), or the North American Electric Reliability Corp (NERC) regulation standards, respectively, but they were not secure. Security could be compromised by ambiguities and shortcomings in the guiding standards. A recent GAO finding pertinent to reports of FISMA compliance associated with use of the previous version of SP 800-53 indicated disconnects between FISMA compliance reports and agencies' actual security posture. Whether or not the newly revised SP800-53, Revision 3, may have any such issues is not known.
The Bottom Line: SP 800-53 is good for IA.