The Office of Management and Budget (OMB) set a November 15, 2010 deadline for all federal agencies to begin submitting FISMA reports via Cyberscope, according to an April 21 memo.
I recently had the chance to speak with Washington Times and Government Security News about the McAfee sponsored study FISMA’s Facelift: In the eye of the beholder?, which surveyed Chief Information Officers and Chief Information Security Officers from 34 Cabinet-level departments and agencies regarding the new CyberScope tool.
Of the federal CIOs and CISOs surveyed:
- Only 15% of those surveyed had used the new tool
- 69% were unsure if the tool would deliver more secure federal networks;
- 55% said the new submission process would increase the cost of compliance;
- 72% did not have a clear understanding of CyberScope’s mission and goals; and
- 90% did not have a clear understanding of the submission requirements
- 100% of those who have used the tool graded it an “A” or “B”
Although the survey findings sound dire, since its completion a considerable amount of work has been done by DHS to drive awareness and training to the federal community that will be required to use CyberScope. I am confident that our federal agencies will meet OMB’s deadline and embrace CyberScope. DHS has even created a centralized email account for CyberScope related inquiries –FISMA.FNS@DHS.Gov.
But remember, reporting should be a bi-product of the continuous monitoring solutions that are deployed to make sure information systems are being protected. CyberScope alone is not the answer. Utilizing tools like CyberScope in conjunction with other existing continuous monitoring tools such as, McAfee Vulnerability Manager and McAfee Policy Auditor provide agencies the ability to automate the once lengthy and labor-intensive FISMA reporting process, thus allowing the departments and agencies to focus on more outcome-driven security metrics rather than just a compliance exercise.
You can view and download the report in full here.