The CBO said in a cost estimate released on Tuesday that the bill could also affect spending on security by agencies, such as the , that don't receive annual FISMA-compliance funding. But any increase in costs at those agencies is likely to be relatively small and could be offset by increasing the fees they charge for their services, the CBO added.

FISMA was approved by Congress and signed into law in 2002, in the aftermath of the 9/11 terrorist attacks, with a goal of improving data security within the federal government. The law mandates a that agencies have to comply with and be evaluated against on an annual basis. For instance, FISMA requires agencies to adopt standard system configurations, create security training programs and develop processes for testing their security controls and contingency plans.

Over the past few years, the annual FISMA reports issued by each agency's inspector general have been widely used as an indicator of the security preparedness at individual agencies and within the government as a whole. , who authored FISMA, uses the reports to prepare an each year. Many agencies, including the departments of Defense, State and Homeland Security, have typically on the report cards, getting D or even F grades.

FISMA's mandates have focused much-needed attention on the security of federal systems and IT infrastructures. Even so, over the past few years, there has been a growing concern that many agencies have begun treating the FISMA process as little more than a , resulting in little in the way of actual security improvements.

The big problem, according to , is that FISMA merely requires agencies to attest to the measures they have implemented for protecting their data and systems without actually requiring them to prove anything. The requirements have also been criticized for not being holistic enough and for being too focused on process issues, while not covering technology issues IPS.