CyberScope falls flat on improving IT security, feds say

A shift in FISMA compliance away from periodic certification and accreditation of IT systems and toward continuous monitoring has failed to improve security in most agencies, according to a recent survey of federal officials.

The move is intended to put a greater emphasis on results in the Federal Information Security Management Act. Agencies are required to employ automated systems using the Security Content Automated Protocols and report results monthly to the Homeland Security Department via the CyberScope system. But the result has been more compliance rather than risk mitigation.

The results came from government-specific data extracted from nCircle’s 2012 Federal Information Security Initiatives Trend Study.


Related coverage:

Continuous monitoring of it favored in FISMA plan

New FISMA looks a lot like old FISMA, survey finds


When asked if they have you seen measurable reductions in your agency’s risk-based on continuous monitoring efforts to date, 49 percent of the respondents said no, 27 percent said yes, and 24 percent said they didn't know.

“There is a real disconnect,” said Karen Cummins, nCircle’s director of federal markets. “We know that continuous monitoring can be extremely powerful in reducing risk,” from showcase examples such as the State and Health and Human Services departments. But what is being measured is agencies’ ability to generate a data stream to DHS rather than their use of the data. “We’re making sure everybody has a ruler. I found that shocking.”

DHS also works with agencies by going over the CyberScope reports in what are called CyberStat reviews. So far these have showed minimal impact, with most agencies reporting that they have not yet undergone a review or don’t know whether it has improved performance. When asked if participation in CyberStat review sessions improved your agency’s overall security performance, 32 percent said they hadn't yet participated in a review and 54 percent said they didn't know. Only 6 percent said review sessions had improved security, which was matched by the 6 percent that said the reviews had not.

Measuring compliance is not necessarily a bad thing, Cummins said. “You have to start somewhere.” The problem appears to be the specific format required. “That raised the bar in one way and took the focus off continuous monitoring and put it on the CyberScope feed.”

A more effective approach might have been to require the use of SCAP-validated tools and leaving the process more flexible, she said.

One favorable sign coming out of DHS is the shift away from the term “continuous monitoring” in favor of “continuous diagnostics and mitigation,” which puts more emphasis on using the data being gathered rather than merely reporting it.
 

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.

Reader Comments

Fri, Sep 21, 2012 Jack

Indeed, cyberscope is meaningless as it doesn't measure risk (only vulnerabilities) The cyberscope approach also assumes a level of maturity and interoperability which technically and organizationally just doesn't exist at most agencies. Don't worry though DHS' CMaaS is going to solve all this across the federal government starting at the low price of a few hundred million dollars.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above