FederalNewsRadio.com reports that FISMA updates have been attempted before in 2008 and 2010 and gone nowhere. 2012 could be different, though.
The article says one area of emphasis seems to be borrowed from the latest food and health regulations. Preference will be given to vendors who do not fry or sauté security into their products.
Lieberman said Congress would encourage agencies to only buy from vendors who “bake” security in from the beginning of development.
“Using the federal government’s purchasing power, I believe would help prod technology companies to produce more secure products, which would then be available to businesses and consumers,” he said.
No word yet on whether steaming is acceptable.
Here’s another area of change to watch.
Our legislation would also provide liability protection for owners and operators who are in compliance with their approved security plans
That sounds familiar. PCI DSS has a similar theory. Many people often ask me if compliance brings complete liability transfer or exclusion. It does not. Changes to FISMA likewise probably will not offer protection against all liability but instead offer some amount of protection — reduce the amount of penalties/fines compared with being breached and also out of compliance.