Compliance Conundrum

Federal agencies trying to comply with FISMA requirements face a multi-pronged challenge.  They not only face the difficult task of correcting vulnerabilities, but they also need to define what those vulnerabilities are.  While NIST provides useful starting point in their 800-53 Controls Framework, the details are often left up to the agency.  Unfortunately most have not been up to the challenge.  Instead of defining detailed controls at an agency or system level, auditors are instead pointed to standard checklists, such as the DISA Security Checklists and the Center for Internet Security's checklists. While that is a useful starting point, usually the effort stops there with the result being that an agency has adopted a standard they cannot hope to meet.  Consequently, auditors are left wondering which controls an agency meant to adopt.  Findings then become voluminous and repetitive for multiple systems and ultimately such requirements may be waived.  Nonetheless, substantive time and funds could be saved if realistic security configuration checklists were developed first.  That would also allows agencies to avoid embarrassment having to explain why they never intended to adopt controls that they were found to not have met.