Security reporting overhaul costly but necessary, analysts say

The federal government needs a better system for assessing and reporting cybersecurity threats, but real progress is impossible without more money for new programs, observers said on Tuesday.

During a conference in Washington hosted by software solutions company SAS, security analysts agreed the 2002 Federal Information Security Management Act, which requires agencies to submit comprehensive security reports on a semiregular basis, no longer provides the guidance necessary to effectively monitor cyber threats. Critics have called the current process burdensome and a distraction from security.

White House Cybersecurity Coordinator Howard Schmidt and federal Chief Information Officer Vivek Kundra recently outlined a new monitoring approach that will require agencies to regularly feed information about their systems, software, security training and user access into a central Web-based portal called CyberScope. Agencies can begin using the tool in June, and monthly reporting will be required starting in 2011, according to the Office of Management and Budget memorandum issued last month.

FISMA made sense at the time it was written because some agencies paid no attention to cyber threats, said Tom Davis, director of federal government affairs at Deloitte and Touche and a former congressman and leader of the House Oversight and Government Reform Committee. "No one understood that there were no safeguards and hackers were five or six steps ahead of us. The procedures brought some awareness to government."

But analysts agree the guidelines are outdated, and government needs to move from a reactive approach to a preemptive one.

"FISMA got us to a certain bar, but the reality is that we're more compromised today than we've ever been," said Travis Reese, executive vice president and chief operating officer of Mandiant Corp., which offers intelligence security solutions.

Government and industry should move away from the mind-set in which they could pass FISMA audits but still be vulnerable to security threats, said Bud Horton, executive director of Accenture Technology Consulting-Security, adding too many organizations get hung up on checklists without focusing on actual security outcomes.

"It's nice to check all the boxes and have procedures, but does it really work?" Davis said.

According to Davis, as cyber threats escalate and more information is lost, government will need additional funding to build effective security programs. The push must come from OMB and the Obama administration, which has brought in strong leadership and made cybersecurity a priority, he said. Congress also can't agree on which committee should have jurisdiction over security bills, creating confusion, he added.

"I hope we wake up before some sort of cyber Pearl Harbor happens, but without additional money it's difficult to do," he said.