Many agencies will not be able to submit summaries of network threats based on real-time surveillance by the Nov. 15 deadline for reporting on security management to the White House, according to federal officials.
The Obama administration in April announced that agencies this fall must use automated security monitoring tools for transmitting data on computer inventories, security incidents and other indicators to a secure online inbox called Cyberscope. Continuous reporting is expected to reduce the time and cost of complying with the 2002 Federal Information Security Management Act, a law critics say concentrates too much on paperwork documenting protocols, and not enough on executing them.
But many agencies are not there yet. "My bet is it won't be done in the next year," said James A. Lewis, a senior fellow at the nonpartisan Center for Strategic and International Studies who researches cybersecurity. He said the Office of Management and Budget eventually might have to issue new rules such as, "You can't spend any money on IT until you put this stuff in place," to enforce real-time monitoring.
Of the 24 major agencies, "a few of them are already there; a lot of them are not," Lewis added. He estimated between 20 percent to 25 percent of the major agencies would be online by Nov. 15. "It's a big change and moving people from where they are now to a better place is a great first step," Lewis noted.
If agencies do not have live surveillance systems, then they are supposed to manually record certain metrics, save the information in a digital format and send it to Cyberscope on a spreadsheet template or a Web-compatible file format such as XML, according to OMB policy .
The Homeland Security Department is helping agencies transition to the new digital process. Agencies without automated monitoring tools likely will use an XML model that Cyberscope can ingest, Greg Schaffer, DHS assistant secretary for cybersecurity and communications, said in an interview on Wednesday. "I do think this will give us in the long run much higher fidelity information," he added.
Schaffer said the shift to real-time monitoring will be "a process" and he could not provide a specific timeline.
The schedule will be dictated from the bottom up -- based on how quickly agencies can set up enhancements needed for live surveillance -- not from any top-down DHS or OMB mandates, Homeland Security officials added on Friday.
They said the price of the additional equipment will vary significantly, depending on the number of users at the agency. Lewis said agencies should not put off buying the new technology just because of cost.
"This is actually effective, so whatever they spend now [on FISMA compliance] is just wasted money," he said. "If we can take the same money and spend it on something that's actually useful we'll be better off."
A July policy clarification on FISMA stated that Homeland Security now is in charge of the operational aspects of governmentwide cybersecurity. OMB will retain fiscal oversight of agencies' use of cybersecurity funds and policy issues.
OMB officials on Friday referred questions about the budget and timeline for rolling out real-time monitoring to DHS.