OMB: Agencies Must File Monthly Infosec ReportsContinuous Monitoring Comes of Age in Reporting Security Posture
And, the Office of Management and Budget is telling agencies that monthly reports are the minimum, encouraging them to report significant changes in security status as soon as they become known.
To ease the new burden of more frequent reporting, agencies will cull security data from continuous monitoring systems being implemented throughout the government, feeding that information into an automated reporting tool known as CyberScope (see Automated FISMA Reporting Tool Unveiled).
"This shift from the once-a-year FISMA reporting process to a monthly reporting of key metrics through CyberScope allows security practitioners to make decisions using more information - delivered more quickly than ever before," OMB Director Jacob Lew said in a memorandum issued Wednesday.
"The goal for federal information security ... is to build a defensible federal enterprise that enables agencies to harness technological innovation, while protecting agency information and information systems," Lew said. "To maximize the timeliness and fidelity of security-related information, the collection of data should be a byproduct of existing continuous monitoring processes."
In a Q&A addendum to the memo, OMB encourages agencies to share security information as soon as it becomes available. "This helps promote timely correction of weaknesses in the agency's information systems and resolution of issues," OMB said. "Waiting until the completion of a report or the year's end does not promote stronger information system security."
In the past, to comply with the reporting rules of the 9-year-old FISMA, each department and agency would e-mail to OMB 100 individual spreadsheets and paper copies of inspectors general's IT security audits. It took the equivalent of three fulltime workers a full month to compile and analyze the data submissions. Beginning last year, agencies began using CyberScope to file their FISMA reports (see FISMA Reporting Moves Into the 21st Century).
The shift in the reporting process is more than just replacing printed material with 0s and 1s. Over the years, FISMA reports focused on the processes agencies took to secure IT without determining whether computer systems and networks were truly secure. Now, agencies are reporting what their continuous monitoring systems tell them about the current security state of their computers and networks.
The monthly reports won't be as comprehensive as the annual FISMA reports. In Lew's memo, agencies are being asked to load data from their automated security management tools into CyberScope for a limited number of data elements. Full implementation of automated security management tools across agencies will take time, the OMB director said. "These reporting requirements will mature over time as the efforts of the Chief Information Officers Council's Continuous Monitoring Working Group, in collaboration with the agencies evolve and additional metrics and capabilities are developed," he said.
The OMB memo said some agencies will be required to participate in review and training sessions known as CyberStat, launched by the Department of Homeland Security last January, in which DHS cybersecurity experts help agencies to develop plans to improve their IT security posture.
According to the memo, CyberStat sessions feature representatives from DHS, OMB, the National Security staff and agency teams collaborating to closely examine program data, with a focus on problem-solving. The outcome is a prioritized action plan for the agency to improve overall performance. Information compiled from the review process also will furnish the government with a holistic view of the federal cybersecurity posture, which should help develop future policy and oversight decisions. Government security specialists will interview agencies not selected for a formal CyberStat review; those interviews will focus on specific threats that each agency faces.