CyberScope, a reporting tool developed by the Obama administration to streamline federal agency compliance reporting under the Federal Information Security Management Act (FISMA), is meant to be a facilitator to cybersecurity, and also makes its information available in order to grade federal agencies in terms of their cyber-readiness as part of the CyberStat revew initiative. The CyberScope project also contains a directive to move to an automated continuous monitoring system rather than the cumbersome manual processes many agencies still use today.
In nCircle's survey of federal employees, a full 82% said that CyberScope did not ease the burden of complying with FISMA. And at least one-third of agencies report they have not yet participated in a CyberStat Review session. Of those that have, only 8% say it has improved their agency's overall security performance.
Continuous monitoring is a similarly conflicted item in the hearts and minds of federal employees. Unsurprisingly, the greatest challenge reported in implementing continuous monitoring solutions remains funding, and they continue to look to find budget. Yet 49% of respondents say that their agency's continuous monitoring efforts to date have not resulted in a measurable reduction of risk.
“This is an unfunded mandate, but people do say the money is there to do this, it just has to be reprogrammed”, said Keren Cummins, director of federal markets for nCircle, in an interview. “Continuous monitoring will pay for itself, but that doesn’t mean they can find the upfront capital funds they need to make that transition easily. They need to look creatively, because they can’t drop current activity – they have to continue the manual processes while they implement the continuous monitoring.”
Agencies are still making every effort to get in line with federal programs. In fact 29% of them cited compliance with federal standards as the top security concern for their departments. Cloud computing came in next (20%), followed by advanced persistent threats (17%), mobile devices/BYOD (14%) and virtualized infrastructure (9%).
“What struck me is that we listed a number of areas of concern and hot topics – consider all the focus on mobile devices", Cummins noted. “And what came back was that security compliance is the biggest concern. That’s like asking a police chief what keeps him up at night – if he says ‘City Hall,’ he must live in a very safe town. But as we know, we’re not living in a safe town when it comes to security. Having people more concerned about compliance rather than specific threats worries me.”