ABSTRACT
One of the problems in implementing FISMA to date has been that an excessive amount of attention had to be concentrated initially on assessing legacy systems and bringing them into basic compliance. Of course, it is readily recognized that compliance with security requirements is far less expensive to build into systems while in development than it is for systems already in operation. Hence, the most eœective way of ensuring compliance is to consider it during system development. It proved di™cult to do this in the early days of FISMA, and signi˜cant amounts of funding were expended in what appeared to be wasteful eœorts to assess legacy systems, the security for which would never be upgraded because of costs. It could be argued that certi˜cation and accreditation requirements should have been applied only to new systems and for upgrades of existing systems to avoid such costs.
