Interpreted by federal agencies as more of a compliance checklist than a real-time risk management framework, the Federal Information Security Management Act (FISMA) has caused concern from its inception. FISMA must evolve to enable more effective mandating of authority and responsibility for its implementation, and the agencies tasked with FISMA oversight have been working to address key concerns. However, Congress has chosen to reform FISMA through legislative action. Either way, FISMA will evolve. This brief looks at why such reform is particularly important for critical infrastructure vendors.