Many observers both inside and outside government have come to the conclusion that the government's cybersecurity reporting requirements, as currently implemented, have created an environment in which expensive annual compliance reports that cut into real cybersecurity have become the norm. "These reports ended up being more secure in the cabinets they were living in than were the systems they were meant to protect," federal CIO Vivek Kundra said in a conference call with reporters and White House cybersecurity coordinator Howard Schmidt.
Agencies have been spending as much as $1,400 per page on those reports under requirements of the Federal Information Systems Management Act. The Department of State alone has spent $133 million in the last six years just on FISMA compliance. However, numerous questions continue to arise about the effectiveness of agencies' cybersecurity efforts. That kind of waste has led to simultaneous moves by the White House, the National Institute for Standards and Technology (which has power to set FISMA standards), and Congress to overhaul or refocus FISMA and other federal cybersecurity requirements.
The new policy outlines what Kundra described as a "significant departure" from the way cybersecurity has been measured and managed in government. It is contained in an Office of Management and Budget memo penned by federal chief performance officer Jeffrey Zients, Kundra, and Schmidt, and developed with input from federal CIOs.
Kundra and Schmidt said on the conference call that the new policy points toward continuous monitoring and patching of federal systems, and also toward the deployment of cybersecurity systems that better position the government against constantly evolving threats.
The guidance takes a "three-tiered approach" to FISMA that includes automatic reporting of cybersecurity data feeds directly from agency security and management tools to a tool hosted by the Department of Homeland Security; government-wide benchmarking on agencies' security postures; and agency-specific interviews to help determine the needs and proper metrics for individual agencies.
First, agencies will be required to feed cybersecurity information directly and in near real-time from their own security management tools into the recently implemented Cyberscope security reporting tool, which DHS is now operating. The White House is convening with agencies on May 7 to discuss how they will move forward with this plan, and what new metrics will be included in the new reporting.
This automated reporting should both decrease the amount of money agencies are spending on cybersecurity reporting, and also help the White House best determine where and how resources should be spent on cybersecurity across government, said Kundra and Schmidt. "Capital can and should be used to invest in systems that will be actually enhancing security," Kundra said.
Agencies will begin feeding this data to Cyberscope by June of this year, but Kundra admitted that some agencies will have to make investments in order to get tools like asset management systems and security information management systems in place to feed data to Cyberscope. Some agencies, like the Departments of Justice, Treasury, State, Veterans Affairs, and NASA are already able to report to Cyberscope, and will be among the first to do so. The due date for reporting through Cyberscope is November 15, and those agencies which can't yet directly feed information into Cyberscope will be able to provide a data feed as an XML upload to Cyberscope.
Along with this new reporting structure will also come new metrics for agencies to use. Those metrics have been developed in concert with the private sector, academic community, and federal CIOs and CISOs. The new data feeds will include summary information about inventory, systems and services, hardware, software, external connections, security training, and identity management and access.
In terms of government-wide benchmarking, CyberScope will be asking agencies a set of questions on their security posture online, rather than in the submission of an annual signed letter to do the same task. The White House will also be carrying out agency-by-agency interviews on cybersecurity. "We recognize not all agencies perform the same mission and function," Kundra said. "Historically it was just a lowest common denominator approach, but the nature of the threat can be unique to each agency."
Finally, in addition to the three-pronged approach to overhauling FISMA reporting, the White House memo answers dozens of potential agency questions about FISMA, including some issues outside the scope of the new approach, like whether national security systems fall under this guidance (not typically), who should have the ultimate say over an agency's security posture (the agency head), and whether SAS 70 compliance audits often used by private sector to determine whether third-party systems are secure is sufficient for FISMA compliance (it depends).