The Federal Information Security Management Act is not going away anytime soon. But the way agencies report on their implementation of the seven-year-old law is getting a much needed facelift.
The Office of Management and Budget launched Oct. 19 CyberScope, an online reporting tool based on the Justice Department’s CSAM application.
Federal chief information officer Vivek Kundra says the interactive Web tool lets agencies move away from spreadsheets and to a system that requires two-factor authentication, including the secure identity card under Homeland Security Presidential Directive 12, and gives clear and timely insight across the government.
“Prior to the 2009 reporting cycle, OMB received via e-mail over 100 individual spreadsheets from agencies and paper copies of the Inspector General reports in response to FISMA reporting requirements,” says Kundra Thursday during a hearing before the Senate Homeland Security and Governmental Affairs Subcommittee on Federal Financial Management, Government Information, Federal Services and International Security. “These metrics were lagging indicators focused on compliance rather than outcomes. Agencies reported infrequently and, in many cases, only annually.”
OMB’s goal with CyberScope is to move agencies away from FISMA being a compliance exercise.
“A lot of agencies are looking at these processes as a three-year exercise, rather than looking at their systems’ security on an ongoing basis and monitor it on a real time basis,” he says. “CyberScope empowers its 600 estimated agency users to manage their internal reporting and information collection processes as best suits their individual needs.”
The sample entry of CyberScope OMB provided the committee show the agency’s FISMA progress, the status of the reports that are required by the law and the other documents that are either mandated or optional.
The data collected through this tool will eventually be fed into a new cybersecurity dashboard.
Kundra says this dashboard would be similar to the IT project dashboard OMB launched June 30.
“The dashboard will unlock the value of agency submissions when it comes to FISMA reporting and also the real time posture across the government,” he says. “Just as the IT dashboard took us from a static, paper based environment to a dynamic digital environment, the new cybersecurity dashboard will provide the government with a real-time view of threats facing us and our vulnerabilities.”
Kundra says OMB will combine the dashboard with more detailed cost data agencies are submitting for the first time in 2010 to gauge the value and return on investment the government is making around cybersecurity. OMB says agencies spent $1.3 billion on FISMA certification and accreditation efforts in 2009, and more than $6.5 billon overall on cybersecurity.
“In the coming years detailed cost data combined with performance based metrics will allow OMB and agencies to effectively manage and make informed decisions when it comes to risk,” he says.
One way OMB is leading this effort is through the CIO Council’s cybersecurity metrics task force.
“The metrics will be focused on game changing ways to address real security,” he says. “It is not necessarily asking the question do you have patch management program, but how long does it take for you to patch those systems? We are in early phases in terms of deploying a governmentwide approach.”
Kundra says he would share the draft set of metrics with Congress and the public by November. By early calendar year 2010 OMB will issue the final metrics and the roadmap for future reporting efforts. OMB expects agencies to report on these metrics the first time in the fall of 2010.
Another area OMB is focused on is creating a secure desktop configuration for Microsoft’s new operating system, Windows 7. Kundra says the Defense Department and the National Institutes of Standards and Technology are leading that approach in a similar way the two agencies created secure versions of XP and Vista.
The State Department already is doing many of the things Kundra wants to take governmentwide.
John Streufert, State’s chief information security officer, says the agency began using a risk scoring system to compliment its FISMA reporting.
Streufert says it uses software to scan every computer and server connected to State’s network at least every 36 hours and ranks the results against eight security factors. State offices are scored based on how well they mitigate risks.
“Since mid-July, overall risk at the department’s key unclassified network measured by the risk scoring system has been reduced by nearly 90 percent in overseas sites and 89 percent in domestic sites,” Streufert says. “The details empower administrators with targeted, daily attention to conduct remediation and the summaries empower executives to oversee the most serious problems.”
Kundra says he’s impressed by State’s approach and has asked the Homeland Security Department and NIST to review the software to expand it across the government.
State also is discussing the system with the Veterans Affairs Department.
Streufert credits State’s leadership for understanding the cyber threat and paying close attention to fixing the problems.
“We used information that was already being collected in the organization, such as certification and accreditation reports” he says. “About 80 percent was an outgrowth of what was needed to manage PCs and servers so it was a matter of just lifting the data and putting it in a security warehouse.”
Sen. Tom Carper (D-Del.), chairman of the subcommittee, emphasized that OMB should use State’s approach more broadly across the government.
Carper is sponsoring legislation to update FISMA, but he says he isn’t sure when the committee would take it up.
“OMB is the only one to make this happen absent Congress a passing bill,” Carper says. “Mr. Kundra take hard look at what you can do and please do not waste another year or more money.”