Work with federal information systems? Responsible for risk management, continuous monitoring, or FISMA compliance? Check out my book: FISMA and the Risk Management Framework.

Tuesday, October 5, 2010

Six weeks away from Cyberscope deadline, many agencies remain unclear on requirements

Nearly a year ago, the federal government announced its new Cyberscope online application for reporting agency information associated with the Federal Information Security Management Act (FISMA). In more detailed subsequent guidance issued in April through Memorandum M-10-15, OMB Deputy Director Jeffrey Zients, Federal CIO Vivek Kundra, and Cybersecurity Coordinator Howard Schmidt put agencies on notice that they would be required to begin submitting FISMA reports online using Cyberscope by November 15. Now, with that deadline just six weeks away, results a survey of federal CIOs and CISOs conducted by MeriTalk on behalf of several security vendors suggest that few agencies are yet familiar with the tool or its associated reporting requirements, and that lack of familiarity also translates to uncertainty about what impact the new approach or the new reporting requirements may have on federal information security.

Results reported from the survey include that just 15 percent of those surveyed (15% of 34 = 5 individuals) had actually used the Cyberscope tool, despite the fact that it has been available for months. Perhaps unsurprisingly, large proportions of the majority of survey respondents who had not yet used the application did not have a clear understanding of either the mission and goals for Cyberscope or of the specific reporting requirements for which these same respondents will soon be held accountable. If it seems a bit unrealistic to expect executives whose agencies have not begun evaluating or working with the tool to have informed opinions about how well it will work, bear in mind that OMB's plan for FISMA reporting is to have agencies move to a monthly (rather than the current quarterly) report submission beginning in 2011, and any agency that hasn't started planning to satisfy that requirement seems likely to have trouble meeting it. Ironically, the intention is for Cyberscope to ease the reporting burden on agencies, by automating monthly data feeds from agency FISMA management tools to Cyberscope. For agencies using the Cyber Security Assessment and Management (CSAM) system hosted by the Justice Department, the migration to automated reporting should be a relatively straightforward task given that the key information is already stored in a central location in a consistent format. However, any agency that assumes that Cyberscope won't require any significant changes in their information security program management are likely to be in for a disappointing winter on the FISMA reporting front.

No comments:

Post a Comment