|
By Mark Henricks
Federal agencies will stop filing paper information security reports and start feeding real-time electronic data into security monitoring and alert systems under the White House's new guidelines for adhering to the Federal Information Security Management Act (FISMA). Federal CIO Vivek Kundra said the change will help agencies spot vulnerabilities faster and move quickly to install protections.
Cost savings is another hoped-for benefit from the switch away from the old paper-based reports. Kundra, writing in his blog, noted that since FISMA's 2002 passage the State Department had spent $133 million generating 95,000 pages of security documentation. Despite the cost -- roughly $1,400 per page -- Kundra said the paper reports were often outdated within days.
Achieving these anticipated gains from the new FISMA reporting structure will require considerable effort on the part of agencies, government CIOs and security officials. The directive covers all agencies, even micro-agencies -- those with fewer than 100 employees. And it's all going to have to be done by Nov. 15, 2010, according to a memo from Kundra, Cybersecurity Coordinator Howard Schmidt and Jeffrey Zients, deputy director for management at the OMB.
Central to the change is that all reports will now be filed via CyberScope, an interactive Web tool for online reporting. It's anticipated that CyberScope will evolve into a dashboard similar to the federal IT spending dashboard at it.usaspending.gov. Micro-agencies will report a subset of the same data larger agencies report.
CyberScope is said to be based on a similar tool developed by the Department of Justice. The State Department was the inspiration for the real-time reporting requirement in the new guidelines. Software scans evaluating risks in all the machines in that department have been taking place every 36 hours.
Another major change is a government-wide benchmark on security posture, to be created with the help of questions posed to agencies via CyberScope. Agency-specific interviews will also be held to gain additional information for the benchmark. Agencies will be assessed in numerous areas, including certification, incident management, security training, remote access, continuous monitoring, contractor oversight, contingency planning and identity management.
A Personnel Identity Verification card conforming to Department of Homeland Security guidelines will be required for access to CyberScope for all purposes. Homeland Security has also been designated to provide operational support and progress monitoring for all federal agencies. Training on CyberScope is supposed to be available beginning in May.
Only registered users can write comments.
Please login or register. |
