In a Google search to identify the putative “improvements” to the Federal Information Security Management Act being considered these days, I stumbled on www.fisma.org, a U.K. site for a non-profit organization called FiSMA (acronym meaning unclear). One of the terms the site has seeded for search engines is route to the loot, which has something to do with the purpose of the organization: linking companies to investors.

But I couldn’t help reflecting on how our own FISMA has been just such a route for the many companies which have been paid hundreds of millions of dollars for asking agency employees about security matters, writing the answers down in prescribed format, waiting (on the clock) for government clients to get around to reviewing the documents, rewriting for several more cycles, submitting the final versions for printing/binding/filing, and beginning the updates to the documents for the next C&A cycle. Of course, there are also companies making a nice living over training, background investigations, intrusion detection, configuration management, POA&M tracking, and the myriad of other outgrowths of the "FISMA compliance industry." Some companies actually contribute to security of government information, but most are more than willing to take the route to the loot instead.