Kundra Previews New FISMA GuidanceExclusive: Federal CIO on Real-Time Monitoring, Funding, Risk
"Part of the shift that is already happening is around how agencies are getting data to us," Federal Chief Information Officer Vivek Kundra said in an interview with GovInfoSecurity.com. "The forthcoming guidance that is coming out around (fiscal year) 2011 reporting is very much focused around data feeds that are of a real-time nature, around actually creating risk profiles that are very specific to agency missions."
Kundra, whose statutory title is OMB's administrator of e-government and IT, said the new guidance is aimed at moving agencies away from the process of filing paper documents that explain how they comply with Federal Information Security Management Act to one that employs new tools such as CyberScope, which furnishes a standard format and provides a better view of agencies' data. Eventually, CyberScope will feed data into a cybersecurity dashboard.
"It makes no sense why we wouldn't ask to get the data feeds coming in from these systems so that we could get a real-time dashboard of the U.S. government in terms of how vulnerable or secure we are," Kundra said.
The new guidance would require agencies to follow the model established at the State Department, in which it scans its worldwide network of computers at least every 36 hours to identify vulnerabilities, he said. (See Beyond FISMA: State Dept.'s Next Gen Metric.)
Agencies sharing real-time information with OMB would result in a better government response to vulnerabilities and threats. Kundra cited a tool created last year by the Department of Homeland Security to remove the Conficker worm. "Imagine how much more powerful that would have been if we actually had real-time data feeds that would roll up to an enterprise wide security dashboard so we could see where our vulnerabilities are, whether it is in a specific agency or bureau," Kundra said.
As for the second part of the guidance, how agencies fund IT security, Kundra said he recognizes this as a difficult challenge, noting that spending on cybersecurity is closely linked with the costs to build and maintain systems in the first place. "If you are doing security right, you shouldn't be able to create a very fine line between here is security and here is a system; it should be baked in and not bolted on," he said. "That is where you get into complexity around funding allocation and the numbers we have seen historically."
The third part of the guidance would be for agencies to build unique IT security risk profiles for their respective missions. Working with Cybersecurity Coordinator Howard Schmidt, the White House will form a team to interview agencies to gain a better understanding the IT security threats they face.
"Historically what has happened is you set up a survey instrument, and you ask a bunch of questions and everybody answers those questions and you get sort of this broad view of cybersecurity threats," Kundra said. "What we recognize is that we haven't really done a good job getting information around the qualitative issues across the U.S. government: electronic health records, transportation, the grid. What are these issues? And then being able to make sure that as policymakers our policies reflect those priorities, whether it is in the context of grants and funding or whether it is in the context of the budgeting process."
Would the identified risks be ranked?
"It is hard to say that because we don't have the data yet," Kundra said "A big part of it is actually going out there and interviewing these agencies; that has never been done before systematically across the U.S. government. It will be very interesting to see, for instance, what does the Department of Justice or the CIO there view as his biggest risks and where he is focused."
Kundra said he hopes the new guidance emphasizing real-time monitoring will help agencies to do a better job of sharing responses to immediate IT security threats than they had in the past. "Unfortunately," he said, "given the culture of compliance historically, what we haven't been able to do is share those best practices as effectively as we should."