Although the Obama administration unveiled plans for a new IT security reporting mechanism more than a year ago, many federal systems officials report that even by mid-summer they did not have a clear understanding of CyberScope’s mission and goals.
The idea behind the CyberScope portal was to ease the reporting burden tied to the systems certification and accreditation process required by the Federal Information Security Management Act.
But based on interviews this summer with 34 federal CIOs and chief information security officers, the survey by MeriTalk released this week found few had used the portal (15 percent) and most did not know its submission requirements (90 percent). The Office of Management and Budget’s deadline for using CyberScope to file FISMA reports is Nov. 15, a little over a month away.
Ultimately, federal CIO Vivek Kundra says the aim is to use the CyberScope portal as a launch pad for a governmentwide cybersecurity dashboard similar to the IT Dashboard.
Tom Conway, director of federal business development for McAfee, recommends that agencies “follow NASA’s and State’s best practices to capitalize on CyberScope’s benefits and realize more secure networks.”
The State Department has been among the agencies that most quickly moved to continuous monitoring and adoption of a security dashboard for tracking and sharing IT security information.
The recent survey suggests that although agencies might have been slow in adopting CyberScope, the same is not true of continuous monitoring. With this approach, an organization proactively gathers data about its network’s health by monitoring systems, traffic and endpoints at short regular intervals and then analyzing the data for anomalies. Nearly all the survey respondents (97 percent) have deployed some form of continuous or automated monitoring tool to help spot and deter cyberthreats.
From the White House perspective, the focus of the new submission process will be on three items: data feeds directly from security management tools, governmentwide benchmarks on security posture and agency-specific interviews. The hope is that these three items, derived from a core set of governmentwide metrics, “will push agencies to examine their risks and make substantial improvements in their security,” according to Kundra’s April memo relaying the November CyberScope submission deadline.
A chief barrier for agencies would appear to be cost and whether IT chiefs perceive value in the new method. Just more than half of the survey respondents who had yet to try the portal (55 percent) noted that they expected the new reporting process to drive up costs. And though one-third said that they feel the changes outlined in the memo would result in more secure networks, the remaining 69 percent expressed uncertainty.