Feds Unlikely To Meet Cybersecurity Compliance Deadline

A Nov. 15 date for federal cybersecurity managers to start using the new CyberScope online reporting tool will be missed by many, as 85% have yet to use the new software.

J. Nicholas Hoover, Senior Editor, InformationWeek Government

October 11, 2010

3 Min Read

Slideshow: Next Generation Defense Technologies

(click for larger image and for full photo gallery)

While the White House's Office of Management and Budget has set a deadline of November 15 for federal agencies to begin submitting their cybersecurity compliance reports via a new application called CyberScope, rather than with voluminous stacks of paper, 85% of federal cybersecurity managers have yet to use the new software, according to a recent survey.

CyberScope is an automated, interactive reporting portal to support the compliance reporting requirements of the Federal Information Security Management Act. FISMA reporting has long been seen as too arduous and too far removed from operational cybersecurity metrics, but with CyberScope, the government hopes to move toward real-time or continuous monitoring of compliance.

However, a survey by MeriTalk on behalf of several cybersecurity and IT vendors, including ArcSight, Brocade, Guidance Software, McAfee, Netezza, and ImmixGroup, suggests that many federal agencies and IT leaders are not ready for the shift.

In all, only 15% of the high-ranking government IT officials who were surveyed as part of the study in July said they had used CyberScope. While those who had used the tool rated it with an "A" or "B" grade, the rest largely say they don't understand CyberScope's goals and submission requirements.

These findings come despite the fact that CyberScope was introduced in October 2009, that the Department of Homeland Security has been offering CyberScope training, and that top officials like federal CIO Vivek Kundra have repeatedly discussed CyberScope's value in addressing concerns about FISMA.

"November is right around the corner and Feds should realize the value in embracing this new FISMA reporting tool," Tom Conway, director of federal business development at McAfee, said in a statement. "We are working diligently with our federal customers to help leverage their current large investments in security solutions to meet this new compliance mandate."

Of the 85% of survey respondents who hadn't used the tool, 90% don't have a clear understanding of submission requirements, 72% don't clearly understand CyberScope's mission and goals, 69% aren't sure the new approach will result in more secure systems, and 55% believe FISMA reporting costs will actually increase due to CyberScope.

Earlier this year, Sen. Tom Carper, D-Del., estimated that FISMA's certification and accreditation process costs the government $1.3 billion annually, with auditing adding another $1 billion. Overall, since 2002, Carper said, the feds have spent more than $40 million on FISMA implementation.

Eventually, the administration wants federal agencies to be able to automatically feed information into the CyberScope tool without the need for manual data entry, but for now, many agencies will save their compliance information via a spreadsheet template and then upload it to CyberScope.

About the Author(s)

J. Nicholas Hoover

Senior Editor, InformationWeek Government

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights