The Federal Information Security Management Act, or FISMA, provides a menu of some three hundred distinct “controls” that tech teams can choose from to secure government software and data from hackers. Competent developers should, in theory, create an informed, thoughtful security plan that chooses the controls most relevant to the circumstances and focus their efforts on implementing and testing those choices. But it’s the rare compliance officer who will take the risk of allowing anything less than all three hundred.
