Formal guidance is forthcoming soon, but Kundra laid out a three-pronged approach for Federal Information Security Management Act reporting that aims to help move agency compliance from a largely paper-based exercise focusing on counting systems and meeting basic baselines, to one that's based on continuous monitoring and management of cybersecurity performance.
The first prong of the new process deals with data. Instead of requiring agencies only to send semi-annual cybersecurity reports to the Office of Management and Budget, often only paper form, OMB plans to move toward a policy of collecting cybersecurity data feeds directly from agency systems themselves.
Several agencies, among them the Department of Justice, Department of State, and NASA, already have systems in place that will allow them to report cybersecurity stats directly to OMB, but Kundra concedes that this piece of the effort is more about "setting a marker to encourage agencies to move in that direction" than something that will be reality overnight for all agencies. "The model is to get as close to the golden source of the data as possible," he said in an interview.
The second piece of the new compliance effort will revolve around shaping some reporting requirements to meet the specific needs of different agencies: the Department of State has vastly different cybersecurity requirements than the Department of Energy, for example, Kundra noted.
The final addition to FISMA reporting will give OMB a new, qualitative look at cybersecurity efforts in government, which goes missing in the reams of quantitative data heretofore used for FISMA compliance efforts. Specifically, over coming months OMB will be interviewing agencies to gain perspective on their cybersecurity efforts and plans.