OMB shifts to real time cybersecurity monitoring

Thursday - 4/22/2010, 6:57am EDT

WFED's Jason Miller

Click below to hear the report

Download mp3

By Jason Miller
Executive Editor
Federal News Radio

The Federal Information Security Management Act will no longer be a paperwork and compliance exercise.

FISMA long has been criticized and complained about by cybersecurity experts, agencies and the lawmakers who wrote the bill as being nothing more than a way for vendors to write reports and make a lot of money without drastically improving federal cybersecurity.

So Wednesday, the Office of Management and Budget issued guidance that would be a major sea change in how agencies oversee and report on the security of their computer networks.

"The FISMA guidance we issued today is a significant departure from how we operated in the past," says Vivek Kundra, the federal chief information officer during a telephone press briefing.

The shift, as a result of this guidance, that we are driving is a shift so that the reporting is seen as a bi-product of the very systems we are deploying to make sure we are continuous monitoring how our information systems are being protected. We're continuously making sure that we are applying patches and deploying solutions that actually position us in an environment where the emerging threat is constantly evolving and the velocity of these threats that approach federal systems are not taken on by annual reports, but by an actual system approach that recognizes the nature of these cyber threat.

Kundra and Howard Schmidt, the White House cyber coordinator, detailed three major changes to how agencies FISMA reporting.

The first requires agencies to submit real-time data about the state of their networks. The second change will be a governmentwide benchmarking study on the state of cybersecurity and the best practices that exist. And finally, the third area will be a series of interviews between OMB and agencies to specifically tailor cybersecurity programs to agency mission needs.

The continuous monitoring change, however, is the most significant, experts say.

Alan Paller, the director of research at the Sans Institute and one of the more vocal critics of the old way of doing FISMA, calls this a new era in federal cybersecurity.

"Until today, FISMA meant either annual (or tri-annual) reports," Paller says. "Recently - with last year's Cyberscope, the idea of continuous monitoring was hijacked by the people who wanted to keep spending $1,400 per page ($500 million a year) for reports that are out of date before they are printed. Today you heard that continuous monitoring means near-real-time data on the actual security status of every machine in the enterprise. Wow!"

But not everyone was excited about the new metrics. Schmidt says he has been briefing Capitol Hill on the new metrics and has received positive feedback, but at least one Hill staff member that closely follows cybersecurity didn't know about the new metrics.

"This kind of disturbs me a little bit that we weren't given any kind of briefing or heads up about the new metrics," says the staff member, who requested anonymity because they did get permission to speak on the subject. "But it does give me a good feeling that the administration wants to do something good that we have been telling them for some time."

The staff member says Schmidt briefed key cybersecurity staff members in recent months and didn't bring up the proposed changes to FISMA.

Additionally, at least two federal cybersecurity executives say they were unaware that OMB had finally issued new metrics and guidance.

Sen. Tom Carper (D-Del.), who authored FISMA 2 legislation, says in a release that the new guidance is a critical step to improving federal cybersecurity.

"The Obama Administration's memoranda implements many of the initiatives outlined in my legislation," Carper says. "For instance, it reinforces the Department of Homeland Security's role as the coordinating cybersecurity agency for the federal government, requires agencies to use automated capabilities to continuously monitor their cyber defenses, improves the metrics that agencies use to measure the effectiveness of their cyber defenses and redirects agency resources from producing ineffective paperwork to investing in proven security. These measures, although not everything that is needed, will enhance federal agencies' cybersecurity efforts and stem the tide against our growing vulnerability to cyber criminals and terrorists."

Under the continuous monitoring initiative, Kundra says agencies will send the data to the Cyberscope tool, run by the Homeland Security Department.

"One of the key things is we are automating processes of doing the status of security is across the government," Schmidt says. "While there will be reports that need to be generated, it will be based on real time information instead of a snapshot in time. That is very crucial for our ability for anytime during the year to identify what is our status for cybersecurity, where are the things we need to focus on and in some cases if necessary, where do we need to move resources based on the maturity level of the organizations that are doing the work out there."