FISMA’s Facelift: In the Eye of the Beholder? October 4, 2010
Jan 20, 2016
FISMA’s Facelift:In the Eye of the Beholder?
October 4, 2010
22
Introduction
Since 2002, The Federal Information Security Management Act (FISMA) has required Federal security leaders to conduct annual reviews of their agency’s information security program.
The cost is significant – $40B* since 2002. To streamline the process, the White House issued new direction focused on a new online portal, CyberScope.
Will these efforts improve reporting, reduce costs, and result in more secure Federal networks?
In May 2010, ArchSight, Brocade, Guidance Software, immixGroup, McAfee, and Netezza worked with MeriTalk to survey 34 CIOs and CISOs on their perceptions of the new requirements, barriers to change, and the path forward.
*Source: Congressional Testimony of Tom Carper, D.-Del, reported in GovInfoSecurity (http://www.govinfosecurity.com/articles.php?art_id=1894)
New CyberScope Reporting Portal:
Interactive tool to support FISMA reporting
Launched October 2009
Designed to streamline reporting, enhance analysis, reduce costsSource: ttp://www.govinfosecurity.com/articles.php?art_id=1894
New White House Guidance:
April 21, 2010 memo emphasizes need for continuous monitoring
Identifies CyberScope as the platform for FY 2010 FISMA submissions
Source: http://tinyurl.com/286hnb7
3
Contents
4 Key Findings
5 The Cost of Compliance
6 Continuous and Automatic Today
7 CyberScope
13 Recommendations
14 Methodology and Demographics
44
Key Findings
• Change in Federal IT security management is here:• Nearly all (97%) say they have deployed continuous and automatic monitoring
for cyber threats
• Few have used CyberScope, but those who have give the portal high marks:• 15% of CIOs/CISOs surveyed have used CyberScope• 100% of those who have used the tool grade it an “A” or “B”
• Of those who have not used CyberScope, many are unclear about the benefits:• 69% are unsure if changes will deliver more secure Federal networks• 55% say a new submission process will increase the cost of compliance• 72% do not have a clear understanding of the mission and goals• 90% do not have a clear understanding of the submission requirements
• CyberScope Path to Success:• Need to promote the tool, train users, and address funding perceptions
55
The Cost of Compliance
The Federal government invests heavily in FISMA compliance and processing annually.
Take Away: Old Approach Broken
Source: Congressional Testimony of Tom Carper, D.-Del, reported in GovInfoSecurity (http://www.govinfosecurity.com/articles.php?art_id=1894)
FISMA C&A Processes
FISMA Auditing Total Spent Since FISMA Enacted
$1.3B annually
$1B annually
$40Bsince 2002
The Cost of Compliance
Only 32% of agencies received “good” or “excellent” FISMA grades in FY 2008*
*http://www.whitehouse.gov/sites/default/files/omb/assets/reports/fy2008_fisma.pdf
6
79%
76%
38%
9%
Tools Feds are Using:
Other*
SIEM tools
Log files
Output from network monitoring tools
(*Other responses included: HIPS, Anti-virus, IDS, firewalls, and STAT – Respondents asked to check all that apply)
Feds are working to stay a step ahead.
Take Away: Waking Up to Around the Clock Vigilance
Continuous and Automatic Today
97%Have deployed continuous and automatic monitoring
for cyber threats
OMB deadline for Feds to submit FISMA reports via
CyberScope*
77
CyberScope
Fed leadership is mandating the move to more efficient and streamlined reporting approaches.
Take Away: Fast Approaching Deadlines
November15, 2010
*http://tinyurl.com/286hnb7
Only
15%of CIOs/CISOs
report they have used
CyberScope
8
Take Away: Need Greater Conversion – Long Way to Go Between July and November
CyberScope in Action
Most CIOs/CISOs have not yet used CyberScope.
9
Early Adopters Give High Marks
Feds who have give positive feedback on the tool.
Take Away: Passes Taste Test
100% of those who have used the tool
give it a grade of
A or BOut in Front:
1010
CyberScope – What?
However, most* are unclear on CyberScope’s goals and requirements.
Take Away: Education, Education, Education
say they do not have a clear understanding of CyberScope’s mission and goals
72%
say they do not have a clear understanding of the submission requirements
90%
*Those who have not used CyberScope
1111
Will it Make Things Better?
And, they* are unclear if the new approach will improve oversight and/or security.
Take Away: Education, Education, Education
Will changes outlined in the April 21 White House memorandum improve oversight?
Will changes outlined in the April 21 White House memorandum result in more secure Federal networks?
Unsure, 55%Yes,
28%
No, 17%
Unsure, 69%
Yes, 31%
*Those who have not used CyberScope
12
Critically, CIOs/CISOs need to see the benefits. Today, they do not anticipate cost savings from the new approach.
55%of CIOs/CISOs who have not used CyberScope say costs will increase due to
FISMA reporting and submission changes
Take Away: Price Barrier
Will it Make Things Better?
1313
Recommendations
Sell the Vision: CIOs/CISOs are open to change but need clarity on the new approach
Gain Traction With Early Adopters: Identify agencies in the lead, track progress, communicate results/benefits, and duplicate best practices
Seek Input: OMB must stay in touch with those in the trenches
If it Works, Make it Mandatory: Enforce compliance, penalize non-compliance – sounds like additional funding required
14
Methodology and Demographics
MeriTalk, on behalf of ArchSight, Brocade, Guidance Software, immixGroup, McAfee, and Netezza, conducted a survey of 34 Federal CIOs and CISOs in July 2010, collecting responses by phone and online.
Agency representation includes:
Thank You
Elizabeth Vandendriessche
MeriTalk
(703) 883-9000 ext. 146
TBD – McAfee
TBD@TBD
(XXX) XXX-XXXX