Why so slow to move on CyberScope?
Federal IT execs showed little interest in getting to know the new FISMA reporting tool
White House officials have decreed that agencies must begin using CyberScope, a new online portal for Federal Information Security Management Act reporting, as of Nov. 15. This new process is part of an increased emphasis on automated, continuous monitoring of the security posture of government IT systems.
A recent MeriTalk survey of federal CIOs and chief information security officers conducted on behalf of a half-dozen security companies revealed widespread skepticism about the new system — a skepticism that appears to be founded in ignorance. By a large majority, respondents said they were unsure that CyberScope would deliver better security, and 55 percent said they believed the new process would increase costs. However, even larger majorities said they do not have a clear understanding of CyberScope’s goal or of the new submission requirements.
Perhaps most telling, 85 percent said they had not yet used CyberScope, although every one of those who had used it rated it with a grade of A or B.
So what are they waiting for? Why, six months after being told of the new requirements, were so many CIOs and CISOs unfamiliar with the system? Federal CIO Vivek Kundra recently said agencies would be ready Nov. 15, but the results of the survey, conducted in July, are nevertheless disturbing.
Kundra says agencies ready for real-time FISMA reporting tool
One of the loudest, most persistent complaints about FISMA has been that it is an expensive paper chase that has consumed $40 billion during the past eight years with check box compliance. CyberScope is part of the work to change that model, and agencies should avail themselves of it.
MeriTalk lays at least part of the blame on the administration for not selling the plan better. But the White House should not need to sell a mandate. Those ordered to use the system have an obligation to — at the very least — familiarize themselves with it.
The marching orders came in an April 21 memo from the Office of Management and Budget on fiscal 2010 reporting under FISMA. The memo outlined a three-tiered approach for reporting that includes direct data feeds from security management tools, governmentwide benchmarking on security posture and agency-specific interviews. The approach is part of development of “outcome-focused metrics for information security performance.”
“CIOs, inspectors general and the senior agency officials for privacy will all report through CyberScope,” the OMB memo states, and a schedule for training on the new portal was set up.
The MeriTalk survey of 34 CIOs and CISOs was done on behalf of ArcSight, Brocade, Guidance Software, McAfee, Netezza and immixGroup. Thirty-four officers is admittedly a small sample and might not be representative of the entire government. And with only two weeks left until the deadline for 2010 FISMA reporting, it is likely that at least some of those officials have changed by now, as Kundra suggested.
The new reporting system was not created in a vacuum. It was developed by a task force that included the CIO Council, Council of Inspectors General on Integrity and Efficiency, National Institute of Standards and Technology, Homeland Security Department, Information Security and Privacy Advisory Board and White House cybersecurity coordinator. The Government Accountability Office was an observer.
CyberScope might not be everything needed to make FISMA better. It might work, and it might not; it’s too early to say. But agency officials need to step up and begin using the tools they have been given.