Automated FISMA Reporting Tool UnveiledKundra: Cybersecurity Dashboard Coming Next Spring
"CyberScope empowers its 600 estimated agency users to manage their internal reporting and information collection processes as best suits their individual needs," Federal Chief Information Officer Vivek Kundra said in testimony presented Thursday to the Senate Homeland Security and Governmental Affairs Subcommittee on Federal Financial Management, Government Information, Federal Services and International Security.
OMB conducted training sessions prior to the Oct. 19 launch, using feedback to improve the tool, Kundra said. "CyberScope's extensive platform is the performance-based solution to years of inefficient and unsecured collection of agency security data," he said.
To comply with FISMA reporting rules, each department and agency would e-mail to OMB 100 individual spreadsheets and paper copies of inspectors general's IT security audits. It took the equivalent of three fulltime workers a full month to compile and analyze the data submissions. "This manual spreadsheet process was laborious, time consuming and unsecured," Kundra said. "Furthermore, the lack of meaningful analysis, the vulnerable reporting methodology and the manual nature of the process inhibited clear, timely and comprehensive insight into the security posture of the federal government's information technology spring."
Automation should reduce those costs. CyberScope requires users to login via a secure personal identity verification, or PIV, card and PIN number, the first time a PIV credential has been used for a governmentwide system.
CyberScope isn't the only digital tool OMB plans to employ to ease FISMA compliance. Kundra said OMB will unveil a cybersecurity dashboard next spring, "unlocking the value of agency FISMA submissions in a timely, comprehensive and secure manner."
The Department of State has deployed a digital security dashboard to monitor its worldwide system of 5,000 routers and 40,000 host computers that supports 285 foreign posts. The automated collection of data has helped State implement a risk-scoring program that has reduced overall risk on the department's key unclassified network by about 90 percent since mid-July, said John Streufert, State's deputy CIO for information security.
Kundra said the automated tools are motivational. "Because scores are visible to other system managers across the agency," he said, "the system fosters an atmosphere of peer-based competition."