NEW CYBER SECURITY REPORT REVEALS FEDS’ TAKE ON FISMA 2.0
As OMB CyberScope Deadline Nears, 85 Percent of CIOs and CISOs Have Not Used the Tool – Compliance, Cost, and Security Value Questions Abound
Alexandria, Va., October 4, 2010 – MeriTalk (www.meritalk.com), the government IT network, today announced the results of “FISMA’s Facelift: In the Eye of the Beholder?,” a study that examines Federal chief information officers’ (CIO) and chief information security officers’ (CISO) perceptions and usage experiences for CyberScope, the new Federal Information Security Management
Act’s (FISMA) online reporting portal. The Obama administration created CyberScope to streamline the reporting process, enhance analysis, and importantly, reduce the $2.3 billion Feds spend annually on compliance.
The report, underwritten by ArcSight, Brocade, Guidance Software, McAfee, Netezza, and immixGroup, reveals that while the Office of Management and Budget (OMB) established November 15, 2010 as the deadline for Federal agencies to submit FISMA reports via CyberScope, as of July 85 percent of Fed security leaders have not utilized the tool. That said, of those who have used CyberScope, 100 percent give the tool an “A” or “B” grade. While this small number of Fed users award CyberScope high marks, those who have not used the tool are not confident that it will meet its ultimate goals of cost savings and increased security.
Of CIOs and CISOs that have not used CyberScope, findings include:
- Uncertainty Abounds: 72 percent assert that they do not have a clear understanding of CyberScope’s mission and goals and 90 percent do not have a clear understanding of the
- Security Skepticism: 55 percent of respondents are unsure if the new submission process
will improve security oversight. Additionally, 69 percent are unsure if the new approach will result in more secure Federal networks
- Cost Savings Unlikely: 55 percent state that CyberScope’s changes will increase submission costs
The study shows that OMB must increase communication, clarify submission requirements, and provide training for the reporting protocol shift in order to achieve CyberScope’s goals of enhanced oversight and reporting simplification. In addition, OMB needs to leverage early-adopter
case studies to communicate track-record success and exemplify the tool’s benefits and results to the 85 percent of Feds that have not yet used CyberScope.
“November is right around the corner and Feds should realize the value in embracing this new FISMA reporting tool,” said Tom Conway, director of Federal business development, McAfee. “Cyber
leaders must follow NASA’s and State’s best practices to capitalize on CyberScope’s benefits and realize more secure networks for America. We are working diligently with our Federal customers to help leverage their current large investments in security solutions to meet this new compliance
“The administration is all about transparency – and this study provides critical insight from Federal cyber security stakeholders,” said Steve O’Keeffe, founder, MeriTalk. “You only get one opportunity to make a first impression. Vivek Kundra first introduced the notion of CyberScope in Senate testimony last fall. Clearly FISMA needs reform. That said, the communication about
that new approach has been spotty at best since that time. OMB must embrace the lessons learned from the IT Dashboard. OMB must clearly communicate CyberScope’s goals, progress, value, and associated measurement framework to Fed cyber security stakeholders to make this program a winner –and if OMB fails, America is the loser.”
The “FISMA’s Facelift: In the Eye of the Beholder?” report is based on an online survey of
34 Federal CIOs and CISOs in July 2010. To download the full study results please visit www.meritalk.com/FISMAfacelift. To register for the “FISMA’s Facelift: In the Eye of the Beholder?” Webinar please visit www.meritalk.com/FISMAWebinar.
The voice of tomorrow’s government today, MeriTalk is an online community that combines professional networking and thought leadership to drive the government IT community dialogue. Developed as a partnership among the Federal Business Council, Federal Employee Defense Services, Federal Managers Association, GovLoop, National Treasury Employees Union, USO, and
WTOP/WFED radio, MeriTalk is a community network. For more information, visit www.meritalk.com or follow us on Twitter, @meritalk.