Feds Focus On Cybersecurity Monitoring, Reporting

Congress and the White House both appear committed to overhauling the way federal agencies go about securing their IT systems, as the White House Wednesday outlined a new approach to ensuring cybersecurity compliance and a Member of Congress introduced a bill to overhaul government cybersecurity efforts.

The new bill, which draws on ideas found in major government and industry reports on the state of federal cybersecurity and contains many elements similar to the a Senate bill reported out of committee Wednesday, would create a new National Office for Cyberspae and revise numerous federal information security requirements.

The Federal Information Security Amendments Act of 2010, introduced by Rep. Diane Watson, (D-Calif.), would, like its Senate counterpart, create a formal cybersecurity leadership office and post within the White House. The top position would be appointed by the President and be subject to Senate confirmation.

The bill would also create a Federal Cybersecurity Practice Board, comprised of cybersecurity leadership from across government, that would be charged with developing compliance guidelines including minimum security controls, cybersecurity performance metrics, and required security criteria for federal information systems.

Under the bill, agencies would be required to continuously monitor their networks for compliance, deficiencies, and potential vulnerabilities, conduct regular testing and systems evaluation, undergo vulnerability probes by third party "red teams," and obtain audits of their cybersecurity efforts.

Furthermore, IT contractors would also be pulled into the orbit of FISMA audits, and the government would have to create standard policies to ensure secure acquisition of IT products and services in order to mitigate supply chain risks and check major systems for vulnerabilities before deployment.

Under the new Office of Management and Budget plan, federal agencies's reporting processes for cybersecurity compliance will see some significant changes this year, federal CIO Vivek Kundra announced at a House of Representatives oversight and government reform committee hearing Wednesday.

The overhaul of Federal Information Security Management Act reporting is an outgrowth of a task force OMB stood up last September to develop new "outcome-focused" cybersecurity metrics for federal agencies.

Formal guidance is forthcoming soon, but Kundra laid out a three-pronged approach for Federal Information Security Management Act reporting that aims to help move agency compliance from a largely paper-based exercise focusing on counting systems and meeting basic baselines, to one that's based on continuous monitoring and management of cybersecurity performance.

The first prong of the new process deals with data. Instead of requiring agencies only to send semi-annual cybersecurity reports to the Office of Management and Budget, often only paper form, OMB plans to move toward a policy of collecting cybersecurity data feeds directly from agency systems themselves.

Several agencies, among them the Department of Justice, Department of State, and NASA, already have systems in place that will allow them to report cybersecurity stats directly to OMB, but Kundra concedes that this piece of the effort is more about "setting a marker to encourage agencies to move in that direction" than something that will be reality overnight for all agencies. "The model is to get as close to the golden source of the data as possible," he said in an interview.

The second piece of the new compliance effort will revolve around shaping some reporting requirements to meet the specific needs of different agencies: the Department of State has vastly different cybersecurity requirements than the Department of Energy, for example, Kundra noted.

The final addition to FISMA reporting will give OMB a new, qualitative look at cybersecurity efforts in government, which goes missing in the reams of quantitative data heretofore used for FISMA compliance efforts. Specifically, over coming months OMB will be interviewing agencies to gain perspective on their cybersecurity efforts and plans.