OMB requires agencies to submit FISMA reports via online tool

All agencies must submit compliance reports with federal information security requirements using an automated tool that sends the data to the Office of Management and Budget via the Internet, according to an OMB memo sent on Thursday to agency heads.

The memo directs agencies to submit the reports mandated by the 2002 Federal Information Security Management Act by Nov. 18, giving agencies an extra two months to adapt to the new collection system. Full instructions on how to use the tool and a test version will be available in August. FISMA requires agencies to identify and inventory IT systems, determine the sensitivity of the information stored on those systems, find holes that hackers could access and deploy security controls.

Agencies also are required to use the online tool to submit a separate report on their progress in safeguarding personally identifiable information and responding appropriately in case of a breach, to comply with a May 2007 OMB memo.

Chief information officers, inspectors general, and senior agency officials for privacy are required to report through the automated collection tool.

"While the content of the report has changed little since 2008, the means of collection has changed substantially," Jeffrey Zients, OMB's deputy director for management, and federal CIO Vivek Kundra said in the Aug. 20 memo. "This year, rather than using spreadsheets, the annual FISMA report data collection will occur via an automated reporting tool," which will allow both manual data entry and automatic upload of data.

Kundra first announced plans to automate the collection of FISMA data in a June letter to the Government Accountability Office in response to a GAO report that pointed out persistent security weaknesses in federal agencies, despite reports of progress. In his letter, Kundra called the existing annual reporting process manual and cumbersome, with more than 160 agencies submitting more than 200 spreadsheets. An Internet-enabled database would allow "the collection of more evaluative metrics, such as performance metrics," he said.

Security specialists predicted the new tool will do little to improve security of computer systems and networks because the metrics under FISMA remain flawed.

"This does the proverbial 'paving of the cow path,' " by automating a business process without considering whether the process is effective or efficient in the first place, said one former federal CIO who asked not to be named. "We aren't changing or reengineering the process or easing the requirements. The fact that you can submit online is nice, but it doesn't change the complexity or the real burden."

Alan Paller, director of the SANS Institute, an information security training and certification group, agreed that the new requirement doesn't address the real problem. "It saves time to use automated tools, but it saves time doing the wrong thing," he said.