FISMA, Cyberscope and Federal IT Security

Feb 26, 2010

The 2002 passage of the “E-Government Act of 2002” created the Office of Electronic Management in the Office of Management and Budget (OMB), led by a Presidential appointee. Under President Obama, this administrator has become the Chief Information Officer, but the role remains essentially the same.

An important part of the E-Government Act is Title III, also known as the “Federal Information Security Management Act of 2002,” or FISMA. This section places authority for non-national security related information security in the hands of the CIO, and requires NIST to develop a system to measure and evaluate information security protocols. This ultimately led to the FISMA reporting requirements, which aim to ensure federal agencies follow computer security best practices.

The reporting requirements require the classification of information systems’ security profile and the protocols and procedures for documenting and responding to potential and actual security incidents. Although FISMA’s goal is to raise awareness of cybersecurity, it has been criticized as ineffective in improving cybersecurity, or as merely an exercise in bureaucracy and paperwork.

On October 29th, 2009, Vivek Kundra, the current Federal CIO, unveiled CyberScope to replace the existing insecure paper or e-mail based reporting. In addition to improving the security of the reports, CyberScope streamlines the process by providing a standard format for reporting, allowing for greater insight into the data and negating the need to combine reports submitted in various formats. Ultimately CyberScope will result in a “cybersecurity dashboard,” not unlike the IT Dashboard (it.usaspending.gov) that currently tracks federal spending on IT projects.

Mr. Kundra has also been impressed by Department of State’s efforts to improve cybersecurity. FISMA had previously been a multi-month process, although CyberScope should decrease that timeframe, State scans all of its machines via software at least every 36 hours to update and evaluate risks. This near real-time monitoring brings State’s programs more in line with what critics have said FISMA should be promoting.

The move towards CyberScope comes as part of Mr. Kundra’s goal of streamlining processes across federal IT, including reducing redundant data centers. This will likely include taking advantage of cloud computing services that have been announced and released in the last year by various major internet companies.

Philip Kimmey

Intern, CSIS Technology & Public Policy Program

 

Sources:

http://csrc.nist.gov/groups/SMA/fisma/overview.html

http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf

http://www.cio.gov/Documents/Vivek_Kundra_Federal_Cyber_Defense_Testimony_10-29-2009.pdf

http://community.ca.com/blogs/iam/archive/2009/11/12/the-relative-adoption-of-fisma.aspx

http://www.govtech.com/gt/702119

http://www.informationweek.com/news/government/leadership/showArticle.jhtml?articleID=222002516

http://www.microsoft.com/Presspass/press/2010/feb10/02-24CIOSummitPR.mspx

http://www.federalnewsradio.com/?sid=1798890&nid=35