OMB shifts to real time cybersecurity monitoring

By Jason Miller
Executive Editor
Federal News Radio

The Federal Information Security Management Act will no longer be a paperwork and compliance exercise.

FISMA long has been criticized and complained about by cybersecurity experts, agencies and the lawmakers who wrote the bill as being nothing more than a way for vendors to write reports and make a lot of money without drastically improving federal cybersecurity.

So Wednesday, the Office of Management and Budget issued guidance that would be a major sea change in how agencies oversee and report on the security of their computer networks.


“The FISMA guidance we issued today is a significant departure from how we operated in the past,” says Vivek Kundra, the federal chief information officer during a telephone press briefing.

The shift, as a result of this guidance, that we are driving is a shift so that the reporting is seen as a bi-product of the very systems we are deploying to make sure we are continuous monitoring how our information systems are being protected. We’re continuously making sure that we are applying patches and deploying solutions that actually position us in an environment where the emerging threat is constantly evolving and the velocity of these threats that approach federal systems are not taken on by annual reports, but by an actual system approach that recognizes the nature of these cyber threat.

Kundra and Howard Schmidt, the White House cyber coordinator, detailed three major changes to how agencies FISMA reporting.

The first requires agencies to submit real-time data about the state of their networks. The second change will be a governmentwide benchmarking study on the state of cybersecurity and the best practices that exist. And finally, the third area will be a series of interviews between OMB and agencies to specifically tailor cybersecurity programs to agency mission needs.

The continuous monitoring change, however, is the most significant, experts say.

Alan Paller, the director of research at the Sans Institute and one of the more vocal critics of the old way of doing FISMA, calls this a new era in federal cybersecurity.

“Until today, FISMA meant either annual (or tri-annual) reports,” Paller says. “Recently – with last year’s Cyberscope, the idea of continuous monitoring was hijacked by the people who wanted to keep spending $1,400 per page ($500 million a year) for reports that are out of date before they are printed. Today you heard that continuous monitoring means near-real-time data on the actual security status of every machine in the enterprise. Wow!”

But not everyone was excited about the new metrics. Schmidt says he has been briefing Capitol Hill on the new metrics and has received positive feedback, but at least one Hill staff member that closely follows cybersecurity didn’t know about the new metrics.

“This kind of disturbs me a little bit that we weren’t given any kind of briefing or heads up about the new metrics,” says the staff member, who requested anonymity because they did get permission to speak on the subject. “But it does give me a good feeling that the administration wants to do something good that we have been telling them for some time.”

The staff member says Schmidt briefed key cybersecurity staff members in recent months and didn’t bring up the proposed changes to FISMA.

Additionally, at least two federal cybersecurity executives say they were unaware that OMB had finally issued new metrics and guidance.

Sen. Tom Carper (D-Del.), who authored FISMA 2 legislation, says in a release that the new guidance is a critical step to improving federal cybersecurity.

“The Obama Administration’s memoranda implements many of the initiatives outlined in my legislation,” Carper says. “For instance, it reinforces the Department of Homeland Security’s role as the coordinating cybersecurity agency for the federal government, requires agencies to use automated capabilities to continuously monitor their cyber defenses, improves the metrics that agencies use to measure the effectiveness of their cyber defenses and redirects agency resources from producing ineffective paperwork to investing in proven security. These measures, although not everything that is needed, will enhance federal agencies’ cybersecurity efforts and stem the tide against our growing vulnerability to cyber criminals and terrorists.”

Under the continuous monitoring initiative, Kundra says agencies will send the data to the Cyberscope tool, run by the Homeland Security Department.

“One of the key things is we are automating processes of doing the status of security is across the government,” Schmidt says. “While there will be reports that need to be generated, it will be based on real time information instead of a snapshot in time. That is very crucial for our ability for anytime during the year to identify what is our status for cybersecurity, where are the things we need to focus on and in some cases if necessary, where do we need to move resources based on the maturity level of the organizations that are doing the work out there.”

Kundra expects some agencies to begin submitting real time data by June or July, but several agencies must upgrade systems to meet these new requirements.

“Justice is helping lead the effort to submit data feeds and by July agencies such as NASA, Treasury, Veterans Affairs, Agriculture and State should come online and submit data feeds in near real time,” Kundra says. “Some agencies will have to make investments at the departmental level to actually get these tools in place. That is another big shift. Instead of generating and spending millions of dollars…just for FISMA compliance, that capital can be and should be used to invest in systems that will move us to greater security.”

OMB on May 7 will host a meeting with agencies to explain the new cybersecurity metrics and how the data feeds will work, he adds. The memo calls for agencies to submit FISMA data through Cyberscope by Nov. 15. And starting January 2011, agencies will be expected to report monthly on system security.

“Cyberscope requires agencies to actually have a system that actively is monitoring and an inventory of all assets like routers, switches and desktops,” Kundra says. “The information will be collected at the agency level and will be able to be correlated so we can see what’s going on not just nationally, but globally. We want to have the right level of detail and ability to go to the most atomic level of analysis to figure out our vulnerabilities.”

For those agencies that will not be ready to submit by January, OMB wants them to use an Excel template and upload the data using XML.

These new requirements are for civilian agencies only. Schmidt says the Defense Department and intelligence community will continue using their current set of tools and reporting mechanism. He adds that DoD is looking at the Cyberscope tool as a way to further increase their visibility.

“We are moving away from the traditional way of reporting and asking what can we do to move forward and make the data stronger and more relevant to the infrastructure we are working today,” Schmidt says. “The government will have a more consistent way to view cybersecurity and the tools we use to look at FISMA.”

(Copyright 2010 by All Rights Reserved.)