Agency cybersecurity reporting to get makeover

Friday - 10/30/2009, 7:01am EDT

WFED's Jason Miller

OMB has launched new tool to automate FISMA reporting. This data will help populate a new cybersecurity dashboard, federal CIO Vivek Kundra says.

Download mp3

By Jason Miller
Executive Editor

The Federal Information Security Management Act is not going away anytime soon. But the way agencies report on their implementation of the seven-year-old law is getting a much needed facelift.

The Office of Management and Budget launched Oct. 19 CyberScope, an online reporting tool based on the Justice Department's CSAM application.

Federal chief information officer Vivek Kundra says the interactive Web tool lets agencies move away from spreadsheets and to a system that requires two-factor authentication, including the secure identity card under Homeland Security Presidential Directive 12, and gives clear and timely insight across the government.

"Prior to the 2009 reporting cycle, OMB received via e-mail over 100 individual spreadsheets from agencies and paper copies of the Inspector General reports in response to FISMA reporting requirements," says Kundra Thursday during a hearing before the Senate Homeland Security and Governmental Affairs Subcommittee on Federal Financial Management, Government Information, Federal Services and International Security. "These metrics were lagging indicators focused on compliance rather than outcomes. Agencies reported infrequently and, in many cases, only annually."

OMB's goal with CyberScope is to move agencies away from FISMA being a compliance exercise.

"A lot of agencies are looking at these processes as a three-year exercise, rather than looking at their systems' security on an ongoing basis and monitor it on a real time basis," he says. "CyberScope empowers its 600 estimated agency users to manage their internal reporting and information collection processes as best suits their individual needs."

The sample entry of CyberScope OMB provided the committee show the agency's FISMA progress, the status of the reports that are required by the law and the other documents that are either mandated or optional.

The data collected through this tool will eventually be fed into a new cybersecurity dashboard.

Kundra says this dashboard would be similar to the IT project dashboard OMB launched June 30.

"The dashboard will unlock the value of agency submissions when it comes to FISMA reporting and also the real time posture across the government," he says. "Just as the IT dashboard took us from a static, paper based environment to a dynamic digital environment, the new cybersecurity dashboard will provide the government with a real-time view of threats facing us and our vulnerabilities."

Kundra says OMB will combine the dashboard with more detailed cost data agencies are submitting for the first time in 2010 to gauge the value and return on investment the government is making around cybersecurity. OMB says agencies spent $1.3 billion on FISMA certification and accreditation efforts in 2009, and more than $6.5 billon overall on cybersecurity.

"In the coming years detailed cost data combined with performance based metrics will allow OMB and agencies to effectively manage and make informed decisions when it comes to risk," he says.

One way OMB is leading this effort is through the CIO Council's cybersecurity metrics task force.

"The metrics will be focused on game changing ways to address real security," he says. "It is not necessarily asking the question do you have patch management program, but how long does it take for you to patch those systems? We are in early phases in terms of deploying a governmentwide approach."

Kundra says he would share the draft set of metrics with Congress and the public by November. By early calendar year 2010 OMB will issue the final metrics and the roadmap for future reporting efforts. OMB expects agencies to report on these metrics the first time in the fall of 2010.

Another area OMB is focused on is creating a secure desktop configuration for Microsoft's new operating system, Windows 7. Kundra says the Defense Department and the National Institutes of Standards and Technology are leading that approach in a similar way the two agencies created secure versions of XP and Vista.

The State Department already is doing many of the things Kundra wants to take governmentwide.

John Streufert, State's chief information security officer, says the agency began using a risk scoring system to compliment its FISMA reporting.

Streufert says it uses software to scan every computer and server connected to State's network at least every 36 hours and ranks the results against eight security factors. State offices are scored based on how well they mitigate risks.

"Since mid-July, overall risk at the department's key unclassified network measured by the risk scoring system has been reduced by nearly 90 percent in overseas sites and 89 percent in domestic sites," Streufert says. "The details empower administrators with targeted, daily attention to conduct remediation and the summaries empower executives to oversee the most serious problems."