Federal CIOs, CISOs struggle with CyberScope FISMA reporting tool

The Office of Management of Budget (OMB) set a Nov. 15 deadline for all federal agencies to begin submitting FISMA reports via CyberScope, according to an April 21, 2010, memo. The memo said that all FISMA reporting must be submitted through CyberScope by the Nov. 15 deadline, and “no FISMA submissions will be accepted outside of CyberScope”.

Despite this, 85% of federal CIOs and CISOs surveyed in July by MeriTalk had not used CyberScope. The study was conducted on behalf of information security product firms ArcSight, Brocade, Guidance Software, McAfee, Netezza, and immixGroup.

Of the federal CIOs and CISOs who had not used the tool:

  • 69% were unsure if the tool would deliver more secure federal networks;
  • 55% said the new submission process would increase the cost of compliance;
  • 72% did not have a clear understanding of CyberScope’s mission and goals; and
  • 90% did not have a clear understanding of the submission requirements

Those numbers may not reflect the current situation, noted Ed White, director of business development at McAfee. In an interview with Infosecurity, White said that since the survey was conducted, the Department of Homeland Security’s Federal Network Security (DHS FNS) branch, which took over implementation of CyberScope in April 2010, has undertaken an outreach and training program to get federal agency staff ready to use the CyberScope tool by the Nov. 15 deadline.

“The outreach [that DHS FNS] planned and executed has been more far-reaching than it was earlier in the summer when we did the report….The operator training program began later in the summer and is close to being complete”, he said. “They are doing their best to try and push out the program, the roles and responsibilities, what’s expected of the individual entities that will use the tool”, he said.

Based on feedback he has received recently, White judged that all of the CIOs and CISOs now know about the CyberScope tool.

One of the recommendations contained in the study to encourage federal agency use of the CyberScope tool was to “penalize” agencies for noncompliance. White explained that FISMA does not contain formal penalties for non-compliance, so there are no legal means to penalize agencies. However, cybersecurity legislation circulating on Capitol Hill contains provisions that would strengthen the original FISMA legislation to improve federal agency compliance.

CyberScope is a “valuable” tool for collecting data on FISMA compliance that can then be used to address information security gaps in federal networks, White said. This will enable action as soon as gaps are identified.

“Reporting should become a by-product of the continuous monitoring solutions that are deployed to make sure that the government information systems are being protected. So you operationalize compliance….This is going to give the government better situational awareness. The tool is not a panacea, but it is a by-product of doing good security….CyberScope will be the reporting tool of that continuous monitoring process that is in place,” he said.

White added that McAfee does not have a direct role in CyberScope, which was developed by CyberBalance. McAfee supplies tools to the federal government that would “feed” CyberScope with information to give the government situational awareness, he explained. McAfee and other suppliers of information security products are “writing the scripts” to enable integration of data into the CyberScope tool, once the tool is up and running, he said.

Based on the DHS FNS efforts, White predicted that all federal agencies will meet the Nov. 15 deadline for submission of FISMA compliance reports via CyberScope.

What’s Hot on Infosecurity Magazine?