Is CyberScope Ready for Prime Time?Survey: Most Agencies Had Yet to Employ FISMA Reporting Tool
That's the takeaway of a survey published Monday by six IT security vendors on CyberScope, the automated FISMA reporting tool unveiled a year ago by Federal Chief Information Office Vivek Kundra. Major federal departments and agencies are to employ CyberScope by Nov. 15 to report on how they have complied this past year with the requirements of the Federal Information Security Management Act, the law that governs cybersecurity in the federal government, according to a memo issued by Kundra and White House Cybersecurity Coordinator Howard Schmidt in April.
Only 15 percent of the 34 federal chief information and chief information security officers surveyed in July had used CyberScope. Those CIOs and CISOs grave CyberScope a grade of A or B.
But an overwhelming percentage of survey respondents who hadn't used CyberScope, 85 percent, say they don't understand CyberScope's mission or how to use it. Seventy-two percent said they didn't clearly comprehend CyberScope's missions and goals and 90 percent didn't fully understand submission requirements. Fifty-five percent felt unsure if the Kundra-Schmidt memo that modernized the way agencies collect and disseminate security data from their IT systems would improve cybersecurity oversight and nearly seven in 10 didn't know if it would improve IT security itself.
The CyberScope project is overseen by the Department of Homeland Security, but DHS declined to provide an official to discuss the readiness of CyberScope.
A year ago, to much fanfare, Kundra unveiled CyberScope during a hearing held by a Senate Homeland Security and Governmental Affairs subcommittee. During the proceedings, Kundra placed about a dozen binders, some two-inches thick, containing FISMA compliance documents on a witness table to show how the tool would save government agencies time and money.
But that message hasn't been heard distinctly by those that had not used CyberScope, according to the survey. Fifty-five precent of the surveyed CIOs and CISOs who have not used CyberScope say costs will increase due to FISMA reporting and submission changes.
"Clearly FISMA needs reform. That said, the communication about that new approach has been spotty at best since that time," said Steve O'Keefe, founder of MeriTalk, the communications firm that conducted the survey for IT vendors ArcSight, Brocade, Guidance Software, McAfee, Netezza, and immixGroup.
At the hearing, subcommittee Chairman Tom Carper, D-Del., said that just the FISMA certification and accreditation process required costs $1.3 billion annually, and estimated another $1 billion is spent each year for agency inspectors general to audit FISMA compliance. In total, Carper said, the government has spent $40 billion related to FISMA since its enactment in 2002.
Kundra has high hopes for CyberScope. "CyberScope empowers its 600 estimated agency users to manage their internal reporting and information collection processes as best suits their individual needs," Kundra testified at the hearing. He said OMB was to conduct training sessions a year ago, using feedback to improve the tool. "CyberScope's extensive platform is the performance-based solution to years of inefficient and unsecured collection of agency security data," he said.
OMB, the White House office where Kundra works, responded to a request to provide an official to discuss CyberScope by referring queries to DHS.
But Kundra, in his earlier testimony, explained how CyberScope would improve the FISMA reporting process. To comply with FISMA reporting rules, each department and agency would e-mail to OMB 100 individual spreadsheets and paper copies of inspectors general's IT security audits. It took the equivalent of three fulltime workers a full month to compile and analyze the data submissions. "This manual spreadsheet process was laborious, time consuming and unsecured," Kundra said. "Furthermore, the lack of meaningful analysis, the vulnerable reporting methodology and the manual nature of the process inhibited clear, timely and comprehensive insight into the security posture of the federal government's information technology spring."
One positive finding of the survey: 97 percent of respondents said their agencies have deployed continuous and automatic monitoring technology to identify cyber threats. An OMB directive and legislation before Congress would move FISMA IT security compliance toward continuous monitoring and away from the check-box, paper process.