In October 2009, the US federal Office of Management and Budget (OMB) released CyberScope, a reporting tool for federal agencies. Under the FISMA (the Federal Information Security Management Act of 2002), agencies are obliged to report on their information security statuses. The introduction of CyberScope aimed to correct any weaknesses and streamline the IT security reporting process. This article takes a look at how CyberScope has improved upon the FISMA reporting approach.
The FISMA, enacted in 2002 under the E-Government Act of 2002, required regular reporting from federal agencies regarding their information security practices. These reports were to be submitted on an annual basis to the Office of Management and Budget. It quickly became clear that the reports being generated were not useful for agencies or oversight groups, as they could only represent a very limited snapshot of the agency’s IT security posture.
Additionally, the costs of enforcing FISMA mandates were high. For instance, the certification and accreditation required by FISMA cost $1.3 billion per year, while compliance auditing required another $1 billion. Since the enactment of FISMA in 2002, it is estimated that the federal government has spent over $40 billion. The annual security reports mandated by the FISMA would cost $1,400 per page to produce. This added up to over $500 million each year.
Clearly, the security reporting processes were costly, time-consuming and unsecure, without seeming to have positive effects on federal cybersecurity. The reporting methods depended on large, static spreadsheets that were often outdated by the time they were published. An automated method that could reduce costs and streamline the reporting process was required.
During October 2009, FISMA was revamped to mandate real-time reporting, rather than the previously-required annual reports. This new type of reporting would be facilitated by CyberScope, an online reporting tool based on a Justice Department tool. Use of CyberScope was mandated for civilian agencies only; the Department of Defense has its own set of reporting tools and mechanisms.
What is CyberScope?
CyberScope is a web-based application that collects data from each federal agency, to assess IT security. This represents a major shift, as IT reporting was previously done through paperwork reports. CyberScope relies on live data feeds and data entry by agency staff. It is designed as a central repository, accessible by agencies through a standard interface and format. Through this interface, agencies provide data to the OMB, which then compiles and generates reports to other agencies, as required by the FISMA.
CyberScope is based on automation; users login by using a secure PIV (personal identity verification) car and PIN (personal identification number). It supports its 600 agency users in various information collection processes. This more automated and frequent method improves the monitoring and evaluation of IT security performance over time.
CyberScope in Use
While federal agencies such as NASA, the Department of the Treasury, the Department of Veterans Affairs, the Department of Agriculture and the Department of State were able to submit real time data feeds by July 2010, many agencies required systems upgrades to support the CyberScope reporting program. In order to accommodate the agencies unable to submit through CyberScope, the OMB has allowed for reporting through Excel templates, with the information being uploaded using XML.
FISMA reporting through CyberScope for the fiscal year of 2010 involves a three-tiered approach, which is made up of:
a) Direct data feeds from security management tools
Direct reporting from continuous monitoring programs and security management tools is required by the OMB. The OMB has defined a set of elements that monitoring systems are obliged to report on. This includes: inventory; systems and services; hardware; software; external connections; security training; and identity management and access. During the fiscal year of 2010, agencies are required to report on a quarterly basis. Beginning in 2011, they will need to report on a monthly basis.
b) Government-wide benchmarking regarding IT security
CyberScope presents agencies with a number of questions regarding the security poster. The agency head is also required to submit a comprehensive overview of the information security policies, procedures and practices of the agency. This overview can be completed through CyberScope. From 2010 onwards, the OMB only accepts submissions through CyberScope.
c) Agency-specific interviews
A team of specialists will interview agencies on specific threats. This information will be presented in the 2010 Report on FISMA to Congress.
The combination of electronic interviewing, in-person interviewing and the continuous collection of data aims to develop a cybersecurity profile for each federal agency. These profiles are crucial for identifying strengths and weaknesses in the federal government’s IT systems and ensure compliance.
As mandated by the OMB, the Department of Homeland Security (DHS) is responsible for providing support to agencies in securing their systems. It is responsible for oversight of the CyberScope tool. The DHS must also track and report progress to ensure implementation is effective.
CyberScope is one of a number of other digital tools that can help support FISMA objectives and facilitate compliance. For instance, the Department of State has introduced a digital security dashboard which monitors its extensive system of 5,000 routers and 40,000 host computers supporting 285 posts worldwide. The automated dashboard is linked to the Risk Scoring Program.
The Risk Scoring Program routinely monitors and assesses ten categories of vulnerabilities. Each category is then scored between one and ten, with ten points representing the most severe vulnerability. Using the risk scores, letter grades between A to F- are assigned to the IT professionals responsible for the systems. This is done at least once every two days.
The continuous monitoring model introduced by the Program allows IT professionals to identify their degree of risk against the defined criteria. It also allows them to rank themselves against their peers, which can be motivational and foster competition.
As a result of the Department of State’s Risk Scoring Program, the Department of State has been able to reduce risk at its domestic offices by 83% since 2008. It has also been able to reduce risk at its foreign locations by 84%.
To complement the automated reporting introduced by CyberScope, the OMB implemented a cybersecurity dashboard. This dashboard was created to facilitate FISMA submissions in a timely and secure manner.
This article explores the need for CyberScope, an automated, real-time reporting tool, which allows US federal agencies to comply with the FISMA (Federal Information Security Management Act). Prior to the introduction of CyberScope, agencies relied on a costly and time-consuming reporting method, which could only provide a very limited snapshot of their IT security status. CyberScope is also part of a new three-tier approach to FISMA monitoring, which is made up of direct data feeds, government-wide benchmarking and agency-specific interviews. In addition to CyberScope, the article also explores other digital tools based on the continuous monitoring model, which can be used to facilitate FISMA compliance.
In preparation for the Certified Information Privacy Professional/US Government exam, a privacy professional should be comfortable with topics related to this post, including:
- Office of Management & Budget – OMB (II.A.c.i.)
- OMB reporting requirements (II.A.c.i.1.b.)
- OMB reporting obligations (II.B.f.i.)
- FISMA reporting (I.C.f.i.2.)