FISMA Reporting Moves Into the 21st CenturyOMB Replaces Paper-Based Compliance Process with Automated Tool
Under the signatures of OMB Deputy Director for Management Jeffrey Zients, Federal Chief Information Office Vivek Kundra and Cybersecurity Coordinator Howard Schmidt, the Office of Management and Budget issued a memorandum instructing federal departments and agencies to use a new, online interactive collection tool called CyberScope to file their fiscal year 2010 reports by Nov. 15 as required by FISMA. Agencies were instructed to provide updates on their privacy management programs through CyberScope, too.
The shift in the reporting process is more than just replacing printed material with 0s and 1s. Traditionally, FISMA reports focused on the processes agencies took to secure IT without determining whether computer systems and networks were truly secure. "This process is designed to shift our efforts away from a culture of paperwork reports," the OMB memo states. "The focus must be on implementing solutions that actually improve security."
According to the memo, agencies must continuously monitor security-related information from across the enterprise in a manageable and actionable way. "To do this, agencies need to automate security-related activities, to the extent possible, and acquire tools that correlate and analyze security-related information," the memo says. "Agencies need to develop automated risk models and apply them to the vulnerabilities and threats identified by security management tools."
Agencies will feed data on computer security into CyberScope through their existing continuous monitoring programs and security management tools. A task force created by OMB last September that created CyberScope and the new reporting process also developed a set of data elements that can be easily fed from agency security monitoring systems into CyberScope. "Agencies should not build separate systems for reporting," the memo states.
As part of the reporting process, OMB will ask all but the smallest agencies - those with 100 or fewer employees - a set of questions on their security posture that can be answered in CyberScope. In addition to the electronic filing process, a team of government security specialists will quiz agencies on their security posture. "That has never been done before systematically across the U.S. government," Kundra said in an interview with GovInfoSecurity.com that previewed Wednesday's announcement. "So it will be very interesting to see, for example, the Department of Justice CIO's view of his biggest risks and where he is focused."
Kundra said the aim of the electronic and in-person questioning as well as the collection of continuous-monitoring data is to build cybersecurity profiles of each agencies. He said the OMB guidance "is very much focused around data feeds that are of a real-time nature, around actually creating risk profiles that are very specific to agency missions."
He said these profiles should prove vital for Schmidt as the cybersecurity coordinator identifies strengths and weaknesses in the government's IT defense in order to disseminate best practices across the government. "If this particular agency on a real-time basis has been able to address this threat in minutes or hours or days, not months, then how do we connect that individual with the individual or agency that is taking months to address the same problem?" Kundra asked. "Unfortunately, given the culture of compliance historically, what we haven't been able to do is share those best practices as effectively as we should."
With the new automated reporting process tied to continuous monitoring, Kundra hopes that change in culture is underway.