CYBEREYE

Why so slow to move on CyberScope?

Federal IT execs showed little interest in getting to know the new FISMA reporting tool

White House officials have decreed that agencies must begin using CyberScope, a new online portal for Federal Information Security Management Act reporting, as of Nov. 15. This new process is part of an increased emphasis on automated, continuous monitoring of the security posture of government IT systems.

A recent MeriTalk survey of federal CIOs and chief information security officers conducted on behalf of a half-dozen security companies revealed widespread skepticism about the new system — a skepticism that appears to be founded in ignorance. By a large majority, respondents said they were unsure that CyberScope would deliver better security, and 55 percent said they believed the new process would increase costs. However, even larger majorities said they do not have a clear understanding of CyberScope’s goal or of the new submission requirements.

Perhaps most telling, 85 percent said they had not yet used CyberScope, although every one of those who had used it rated it with a grade of A or B.

So what are they waiting for? Why, six months after being told of the new requirements, were so many CIOs and CISOs unfamiliar with the system? Federal CIO Vivek Kundra recently said agencies would be ready Nov. 15, but the results of the survey, conducted in July, are nevertheless disturbing.


Related story:

Kundra says agencies ready for real-time FISMA reporting tool


One of the loudest, most persistent complaints about FISMA has been that it is an expensive paper chase that has consumed $40 billion during the past eight years with check box compliance. CyberScope is part of the work to change that model, and agencies should avail themselves of it.

MeriTalk lays at least part of the blame on the administration for not selling the plan better. But the White House should not need to sell a mandate. Those ordered to use the system have an obligation to — at the very least — familiarize themselves with it.

The marching orders came in an April 21 memo from the Office of Management and Budget on fiscal 2010 reporting under FISMA. The memo outlined a three-tiered approach for reporting that includes direct data feeds from security management tools, governmentwide benchmarking on security posture and agency-specific interviews. The approach is part of development of “outcome-focused metrics for information security performance.”

“CIOs, inspectors general and the senior agency officials for privacy will all report through CyberScope,” the OMB memo states, and a schedule for training on the new portal was set up.

The MeriTalk survey of 34 CIOs and CISOs was done on behalf of ArcSight, Brocade, Guidance Software, McAfee, Netezza and immixGroup. Thirty-four officers is admittedly a small sample and might not be representative of the entire government. And with only two weeks left until the deadline for 2010 FISMA reporting, it is likely that at least some of those officials have changed by now, as Kundra suggested.

The new reporting system was not created in a vacuum. It was developed by a task force that included the CIO Council, Council of Inspectors General on Integrity and Efficiency, National Institute of Standards and Technology, Homeland Security Department, Information Security and Privacy Advisory Board and White House cybersecurity coordinator. The Government Accountability Office was an observer.

CyberScope might not be everything needed to make FISMA better. It might work, and it might not; it’s too early to say. But agency officials need to step up and begin using the tools they have been given.

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.

Reader Comments

Thu, Nov 18, 2010 Govt Contractor Midwest USA

Rohweder says "Over 100 Agencies including ALL the majors successfully submitted their 2009 annual FISMA reports..." GSA has got to be one of the majors. How is it then that 12,000 GSA workers names and SSN's were sent to a private email account on Sept. 16, 2010? (Wash. Post, Nov. 9, 2010). FISMA reporting through CyberScope won't make anything connected to the internet more secure.

Wed, Nov 17, 2010

Security Officer is correct. Most agencies don't have IT money or IT staff sitting around to throw at the latest tool which find at most 25% of the listed vulnerabilities in the NVD. The pioneers have some fed IT departments that can develop tools and a long term plan to coble together the data so it can provide some return other than meeting a reporting requirement. The non-pioneers only have contractors who must be fed specific requirements or the project will turn into an over-blown costly fiasco. So with an un-funded mandate you get inertia at most of the agencies while they work to meet their congressionally funded missions and wait to see who has a complete solution that can be popped into place. If it was so easy to implement and important, why doesn't OMB or the WH Czar go to Congress and grab a couple billion and make available a complete enterprise package to each agency.

Mon, Nov 8, 2010 Security Officer

Garbage in = Garbage out! Cyberscope and SCAP are still in their infancy with many unanswered quesitons. So why the headlong rush to force fit not ready for prime time reporting tools which are not going to reduce system risk but may in fact add levels of risk because of unknowns associated with new "near real time" data and processes. This is the real story.

Mon, Nov 1, 2010 A. Rohweder Washington, DC

CyberScope has been operational since the 2009 Annual FISMA submission period opened over a year ago. Over 100 Agencies including all the majors successfully submitted their 2009 annual FISMA reports through the portal. The 2010 Q3 reports were also collected through CyberScope this last summer. CyberScope went live with the 2010 FISMA annual metrics in August of 2010 and will close November 15. The issue causing confusion is the new SCAP Data Feed functionality. This new requirement is loosely tied to the cyclical reporting requirement that has been in place since FISMA reporting began. It requires Agencies to procure automated scan tools that can generate SCAP enumerated XML output consumable by CyberScope. The intent is to use automation to provide near real-time information that will supplement the traditional FISMA data-call based metrics. The CISO’s in the study may not have actually had direct involvement with the CyberScope but their Agencies have used it. There are many software applications used by an Agency that a high level IT executive will only know by name and general purpose.

Mon, Nov 1, 2010 Federal agency

Did it occur to the author to talk to a Federal ITSO or CISO to understand the Cyberscope requirement and the capabilities needed to meet the requirement before ranting about disturbing behavior? I would guess "no" since none are quoted.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above