However, federal agencies cannot move effectively to more secure systems unless you shift the emphasis of the FISMA assessments from paper reporting to automated monitoring of essential controls. …  Two weeks ago, a federal CIO told me, “I have a CISO who always gets me to green on my FISMA grades, but the reports he produces have no impact at all on security of our computers or networks, I am setting up a separate group to do real security.” This CIO can do both because of a surge of funding his organization has received from the new stimulus bill.