Changes to the way federal agencies counter and report on cybersecurity threats appear imminent, at least if an Office of Management and Budget report on the Federal Information Security Management Act is any indicator.

"OMB will release a roadmap for future reporting under FISMA, which will incorporate real-time metrics and enhance Government-wide situational awareness in 2010," states the report to Congress about fiscal 2009 FISMA performance.

"The use of Security Information Management or Security Information Event Management tools will assist in progressing towards real time security awareness and management in the Government," it adds.

The House Reform Committee government management, organization and procurement subcommittee will hold a hearing on FISMA today, March 24.

FISMA has long been the subject of criticism since its approval as law in 2002. Most complaints have centered on its paperwork intensive processes. Detractors--perhaps most audibly, the SANS Institute's Alan Paller--have pushed for a more dynamic approach.

OMB Chief Information Officer Vivek Kundra has already signaled his displeasure with FISMA, writing in response to a July 2009 GAO report that while elements of FISMA "may have made sense when FISMA was enacted, they are largely focused on compliance."

This newest OMB report repeats the criticism, calling FISMA reporting metrics "lagging indicators focused on compliance rather than outcomes."

However, previous attempts by members of congress to change FISMA have so far made little headway. For example, a bill by Sen. Thomas Carper, (D-Del.), the "Information and Communications Enhancement Act of 2009," was referred to a Senate committee in last April, the last major action taken on the bill.

For more:
- check out the OMB fiscal 2009 FISMA report (.pdf)
- this July 2009 GAO report, "Agencies Continue to Report Progress, but Need to Mitigate Persistent Weaknesses" (.pdf)
- this blog post from NextGov

Related Articles:
IRS cybersecurity weak
GAO raps feds on cybersecurity