CyberScope falls flat on improving IT security, feds say
A shift in FISMA compliance away from periodic certification and accreditation of IT systems and toward continuous monitoring has failed to improve security in most agencies, according to a recent survey of federal officials.
The move is intended to put a greater emphasis on results in the Federal Information Security Management Act. Agencies are required to employ automated systems using the Security Content Automated Protocols and report results monthly to the Homeland Security Department via the CyberScope system. But the result has been more compliance rather than risk mitigation.
The results came from government-specific data extracted from nCircle’s 2012 Federal Information Security Initiatives Trend Study.
Continuous monitoring of it favored in FISMA plan
New FISMA looks a lot like old FISMA, survey finds
When asked if they have you seen measurable reductions in your agency’s risk-based on continuous monitoring efforts to date, 49 percent of the respondents said no, 27 percent said yes, and 24 percent said they didn't know.
“There is a real disconnect,” said Karen Cummins, nCircle’s director of federal markets. “We know that continuous monitoring can be extremely powerful in reducing risk,” from showcase examples such as the State and Health and Human Services departments. But what is being measured is agencies’ ability to generate a data stream to DHS rather than their use of the data. “We’re making sure everybody has a ruler. I found that shocking.”
DHS also works with agencies by going over the CyberScope reports in what are called CyberStat reviews. So far these have showed minimal impact, with most agencies reporting that they have not yet undergone a review or don’t know whether it has improved performance. When asked if participation in CyberStat review sessions improved your agency’s overall security performance, 32 percent said they hadn't yet participated in a review and 54 percent said they didn't know. Only 6 percent said review sessions had improved security, which was matched by the 6 percent that said the reviews had not.
Measuring compliance is not necessarily a bad thing, Cummins said. “You have to start somewhere.” The problem appears to be the specific format required. “That raised the bar in one way and took the focus off continuous monitoring and put it on the CyberScope feed.”
A more effective approach might have been to require the use of SCAP-validated tools and leaving the process more flexible, she said.
One favorable sign coming out of DHS is the shift away from the term “continuous monitoring” in favor of “continuous diagnostics and mitigation,” which puts more emphasis on using the data being gathered rather than merely reporting it.