New rules call for agencies to continuously collect data about security status and stream it to OMB monthly, rather than report quarterly by paper.
Agencies soon will be required to digitally monitor the security of their computer systems and feed summaries of their findings to a central website under new federal information security rules the White House issued on Wednesday.
The continuous reporting requirements outlined in an OMB memorandum are intended to improve the execution of the 2002 Federal Information Security Management Act. Critics say FISMA demands too much burdensome reporting and takes attention away from security. Several lawmakers are pushing to update the law, but for the time being the White House is working within the confines of the statute to alleviate reporting hassles.
"We're automating the process," said White House Cybersecurity Coordinator Howard Schmidt, adding reports to the Office of Management and Budget and Congress will be "based on real-time information as opposed to a snapshot in time."
The key to this new approach will be software that transmits data on the status of controls directly from each division of an agency. The data feeds will include information about an agency's inventory of systems and software, external connections, security training and user access.
Agencies must submit this information through a new Web-based gateway called CyberScope by Nov. 15, and starting in 2011, they must file reports monthly, according to the memo. OMB will begin training them on how to use the tool in May.
Federal Chief Information Officer Vivek Kundra called the guidance a significant departure from past operations. The paperwork required for compliance with FISMA cost $1,400 a page, he said. The new system is computerized and recognizes the nature of agency-specific cybersecurity threats. The Homeland Security Department will oversee CyberScope and help agencies use the tool.
Agencies are expected to start feeding data through CyberScope as early as June, Kundra said. NASA, Treasury, and the State and Veterans Affairs departments plan to go live in July. Justice developed the tool for widespread use.
The new strategy "begins to bring sunlight to an area that had been in the dark," said Alan Paller, director of research for the SANS Institute, a computer security training organization. "Before, no agency had known the status of their systems."
Prior to Wednesday, department heads did not have the power to ask for security management information from bureaus and other agency components, he added. For example, the chief information security officer at the Treasury Department lacked the authority to access Internal Revenue Service activity reports, he said.
According to the memo, agencies must provide a holistic view of their security program, along with information about the specific security postures of major department divisions. The aim is to distinguish top-performing divisions from poor performers to more accurately gauge the agency's overall security situation.
Previously, "you were responsible but you had no visibility," Paller said. "You'd be shocked at how little data the [chief information security officer] can get its hand on. If you don't have any data how can you manage it?"
Wednesday's rules encourage agencies to use cloud computing to feed their security data to CyberScope, which would entail renting software from third-parties to submit reports.
"Agencies are permitted to utilize these types of agreements and arrangements, provided appropriate security controls are implemented," the memo stated. "We encourage agencies to seek out and utilize private sector, market-driven solutions resulting in cost savings and performance improvements."
In addition to the new continuous monitoring system, computerized questionnaires and in-person interviews will be part of the 2010 FISMA reporting process. CyberScope will ask agencies a general set of questions about their security status. Afterward, a team of federal security specialists will interview officials from each agency on specific vulnerabilities.
"This process is designed to shift our efforts away from a culture of paperwork reports," the memo states. "The focus must be on implementing solutions that actually improve security."