FISMA , Standards, Regulations & Compliance

FISMA Reporting Moves Into the 21st Century

OMB Replaces Paper-Based Compliance Process with Automated Tool
FISMA Reporting Moves Into the 21st Century
The White House Wednesday took a significant step to move federal departments and agencies toward real-time monitoring of their computer systems and networks and away from paper filings documenting compliance with the Federal Information Security Management Act.

Under the signatures of OMB Deputy Director for Management Jeffrey Zients, Federal Chief Information Office Vivek Kundra and Cybersecurity Coordinator Howard Schmidt, the Office of Management and Budget issued a memorandum instructing federal departments and agencies to use a new, online interactive collection tool called CyberScope to file their fiscal year 2010 reports by Nov. 15 as required by FISMA. Agencies were instructed to provide updates on their privacy management programs through CyberScope, too.

The shift in the reporting process is more than just replacing printed material with 0s and 1s. Traditionally, FISMA reports focused on the processes agencies took to secure IT without determining whether computer systems and networks were truly secure. "This process is designed to shift our efforts away from a culture of paperwork reports," the OMB memo states. "The focus must be on implementing solutions that actually improve security."

According to the memo, agencies must continuously monitor security-related information from across the enterprise in a manageable and actionable way. "To do this, agencies need to automate security-related activities, to the extent possible, and acquire tools that correlate and analyze security-related information," the memo says. "Agencies need to develop automated risk models and apply them to the vulnerabilities and threats identified by security management tools."

Agencies will feed data on computer security into CyberScope through their existing continuous monitoring programs and security management tools. A task force created by OMB last September that created CyberScope and the new reporting process also developed a set of data elements that can be easily fed from agency security monitoring systems into CyberScope. "Agencies should not build separate systems for reporting," the memo states.

As part of the reporting process, OMB will ask all but the smallest agencies - those with 100 or fewer employees - a set of questions on their security posture that can be answered in CyberScope. In addition to the electronic filing process, a team of government security specialists will quiz agencies on their security posture. "That has never been done before systematically across the U.S. government," Kundra said in an interview with that previewed Wednesday's announcement. "So it will be very interesting to see, for example, the Department of Justice CIO's view of his biggest risks and where he is focused."

Kundra said the aim of the electronic and in-person questioning as well as the collection of continuous-monitoring data is to build cybersecurity profiles of each agencies. He said the OMB guidance "is very much focused around data feeds that are of a real-time nature, around actually creating risk profiles that are very specific to agency missions."

He said these profiles should prove vital for Schmidt as the cybersecurity coordinator identifies strengths and weaknesses in the government's IT defense in order to disseminate best practices across the government. "If this particular agency on a real-time basis has been able to address this threat in minutes or hours or days, not months, then how do we connect that individual with the individual or agency that is taking months to address the same problem?" Kundra asked. "Unfortunately, given the culture of compliance historically, what we haven't been able to do is share those best practices as effectively as we should."

With the new automated reporting process tied to continuous monitoring, Kundra hopes that change in culture is underway.

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.