tag:blogger.com,1999:blog-13178036.post7865034482566402828..comments2008-02-24T15:25:57.850-05:00Gary W. Longsinehttp://www.blogger.com/profile/05653813520423954538gary.w.longsine@gmail.comBlogger1125tag:blogger.com,1999:blog-13178036.post-7100743350900945082008-02-24T13:45:00.000-05:002008-02-24T13:45:00.000-05:00What is it in the FISMA legislation that leads you to believe that it provides an incentive for agencies to create "lengthy, complicated reports" when they identify a software defect? The NIST Risk Management Framework created in support of the FISMA legislation requires testing for software defects, requires that they be managed and, through the POA&M process, ultimately resolved. If agencies are choosing to write lengthy and complicated reports in lieu of fixing problems, blame agency management and staff, not FISMA. <BR/><BR/>The problems lie not in our security requirements and standards, but in our execution.Mikehttp://www.blogger.com/profile/04297781911754780421noreply@blogger.com