Agencies must submit information on the health and security of their computer networks into an automated tool, called Cyberscope, by Nov. 15, and every month thereafter.
Office of Management and Budget Director Jack Lew sent the annual Federal Information Security Management Act guidance to agencies Sept. 14 detailing new mandates to use the online tool as part of the administration’s push to have continuous monitoring of agency computer networks.
“This shift from the once-a-year FISMA reporting process to a monthly reporting of key metrics through Cyberscope allows security practitioners to make decisions using more information — delivered more quickly than ever before,” Lew wrote in the memo to agency secretaries. “The goal for federal information security in FY 2011 is to build a defensible federal enterprise that enables agencies to harness technological innovation, while protecting agency information and information systems. To maximize the timeliness and fidelity of security related information, the collection of data should be a by-product of existing continuous monitoring processes.”
The Homeland Security Department issued the specific guidance as part of OMB’s memo. OMB gave DHS oversight authority over FISMA reporting in 2010.
“While full implementation of automated security management tools across agencies will take time, agencies should report what they can using output from their automated security management tools,” wrote Roberta Stempfley, acting assistant secretary in the DHS Office of Cybersecurity and Communications in a memo to agency security managers. “These reporting requirements will mature over time as the efforts of the Chief Information Officer (CIO) Council’s Continuous Monitoring Working Group, in collaboration with the agencies, evolve and additional metrics and capabilities are developed.”
Stempfley said DHS is not changing the metrics or reporting schemas from 2010, but will update the metrics as the CIO Council develops them.
OMB first asked agencies to use the Cyberscope tool last year but still accepted other methods for reporting FISMA data.
By mandating all data come in through Cyberscope, DHS will have one place to review all agency data on the health of governmentwide networks. It also is expected to save agencies money as automated reporting is less expensive than the once-a-year reporting traditionally done under FISMA.
In the fiscal 2012 budget passback, OMB set a deadline of Sept. 30 for agencies to use Cyberscope. Now that date has been extended by 45 days. There is no word on whether OMB changed the requirement for agencies to continuously monitor their networks by the end of 2012.
A request to OMB for comment on why the extended deadline was not immediately returned.
Along with monthly data, agencies will submit details on how they are meeting FISMA metrics twice during the year, between April 1-15 and again between July 1-15.
In addition to the data feeds to Cyberscope, agencies must answer a set of information security questions.
“These questions address areas of risk and are designed to assess the implementation of security capabilities and measure their effectiveness,” Stempfley wrote.
DHS also will use the data in Cyberscope during its CyberStat sessions, in which it reviews and helps agencies improve their network security.
“Information compiled from the review process will also give DHS, OMB, National Security Staff and other relevant stakeholders a holistic viewpoint of the cybersecurity posture of the executive branch of the federal government, informing future policy and oversight decisions,” Stempfley wrote. “A team of government security specialists will interview agencies not selected for a formal CyberStat review. These interviews will be focused on specific threats that each agency faces as a consequence of its unique mission.”
DHS also included 55 questions and answers in the guidance to help agencies understand the basics of the new requirements.