Automated FISMA Reporting Tool Unveiled

Kundra: Cybersecurity Dashboard Coming Next Spring
Automated FISMA Reporting Tool Unveiled
The Office of Management and Budget this month unveiled an interactive collection tool called CyberScope that should help agencies fulfill their IT security reporting requirements under the Federal Information Security Management Act.

"CyberScope empowers its 600 estimated agency users to manage their internal reporting and information collection processes as best suits their individual needs," Federal Chief Information Officer Vivek Kundra said in testimony presented Thursday to the Senate Homeland Security and Governmental Affairs Subcommittee on Federal Financial Management, Government Information, Federal Services and International Security.

OMB conducted training sessions prior to the Oct. 19 launch, using feedback to improve the tool, Kundra said. "CyberScope's extensive platform is the performance-based solution to years of inefficient and unsecured collection of agency security data," he said.

To comply with FISMA reporting rules, each department and agency would e-mail to OMB 100 individual spreadsheets and paper copies of inspectors general's IT security audits. It took the equivalent of three fulltime workers a full month to compile and analyze the data submissions. "This manual spreadsheet process was laborious, time consuming and unsecured," Kundra said. "Furthermore, the lack of meaningful analysis, the vulnerable reporting methodology and the manual nature of the process inhibited clear, timely and comprehensive insight into the security posture of the federal government's information technology spring."

Binders containing FISMA compliance documents.
Indeed, to prove his point, about a dozen binders, some two-inches thick, containing FISMA compliance documents were placed on the witness table. At the hearing, Subcommittee Chairman Tom Carper, D.-Del., said that just the certification and accreditation process required by the Federal Information Security Management Act costs $1.3 billion annually, and estimates another $1 billion is spent each year for agency inspectors general to audit FISMA compliance. In total, Carper said, the government has spent $40 billion related to FISMA since its enactment in 2002.

Automation should reduce those costs. CyberScope requires users to login via a secure personal identity verification, or PIV, card and PIN number, the first time a PIV credential has been used for a governmentwide system.

CyberScope isn't the only digital tool OMB plans to employ to ease FISMA compliance. Kundra said OMB will unveil a cybersecurity dashboard next spring, "unlocking the value of agency FISMA submissions in a timely, comprehensive and secure manner."

The Department of State has deployed a digital security dashboard to monitor its worldwide system of 5,000 routers and 40,000 host computers that supports 285 foreign posts. The automated collection of data has helped State implement a risk-scoring program that has reduced overall risk on the department's key unclassified network by about 90 percent since mid-July, said John Streufert, State's deputy CIO for information security.

Kundra said the automated tools are motivational. "Because scores are visible to other system managers across the agency," he said, "the system fosters an atmosphere of peer-based competition."

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.