FISMA’s Facelift:In the Eye of the Beholder?

October 4, 2010

22

Introduction

Since 2002, The Federal Information Security Management Act (FISMA) has required Federal security leaders to conduct annual reviews of their agency’s information security program.

The cost is significant – $40B* since 2002. To streamline the process, the White House issued new direction focused on a new online portal, CyberScope.

Will these efforts improve reporting, reduce costs, and result in more secure Federal networks?

In May 2010, ArchSight, Brocade, Guidance Software, immixGroup, McAfee, and Netezza worked with MeriTalk to survey 34 CIOs and CISOs on their perceptions of the new requirements, barriers to change, and the path forward.

*Source: Congressional Testimony of Tom Carper, D.-Del, reported in GovInfoSecurity (http://www.govinfosecurity.com/articles.php?art_id=1894)

New CyberScope Reporting Portal:

Interactive tool to support FISMA reporting

Launched October 2009

Designed to streamline reporting, enhance analysis, reduce costsSource: ttp://www.govinfosecurity.com/articles.php?art_id=1894

New White House Guidance:

April 21, 2010 memo emphasizes need for continuous monitoring

Identifies CyberScope as the platform for FY 2010 FISMA submissions

Source: http://tinyurl.com/286hnb7

3

Contents

4 Key Findings

5 The Cost of Compliance

6 Continuous and Automatic Today

7 CyberScope

13 Recommendations

14 Methodology and Demographics

44

Key Findings

• Change in Federal IT security management is here:• Nearly all (97%) say they have deployed continuous and automatic monitoring

for cyber threats

• Few have used CyberScope, but those who have give the portal high marks:• 15% of CIOs/CISOs surveyed have used CyberScope• 100% of those who have used the tool grade it an “A” or “B”

• Of those who have not used CyberScope, many are unclear about the benefits:• 69% are unsure if changes will deliver more secure Federal networks• 55% say a new submission process will increase the cost of compliance• 72% do not have a clear understanding of the mission and goals• 90% do not have a clear understanding of the submission requirements

• CyberScope Path to Success:• Need to promote the tool, train users, and address funding perceptions

55

The Cost of Compliance

The Federal government invests heavily in FISMA compliance and processing annually.

Take Away: Old Approach Broken

Source: Congressional Testimony of Tom Carper, D.-Del, reported in GovInfoSecurity (http://www.govinfosecurity.com/articles.php?art_id=1894)

FISMA C&A Processes

FISMA Auditing Total Spent Since FISMA Enacted

$1.3B annually

$1B annually

$40Bsince 2002

The Cost of Compliance

Only 32% of agencies received “good” or “excellent” FISMA grades in FY 2008*

*http://www.whitehouse.gov/sites/default/files/omb/assets/reports/fy2008_fisma.pdf

6

79%

76%

38%

9%

Tools Feds are Using:

Other*

SIEM tools

Log files

Output from network monitoring tools

(*Other responses included: HIPS, Anti-virus, IDS, firewalls, and STAT – Respondents asked to check all that apply)

Feds are working to stay a step ahead.

Take Away: Waking Up to Around the Clock Vigilance

Continuous and Automatic Today

97%Have deployed continuous and automatic monitoring

for cyber threats

OMB deadline for Feds to submit FISMA reports via

CyberScope*

77

CyberScope

Fed leadership is mandating the move to more efficient and streamlined reporting approaches.

Take Away: Fast Approaching Deadlines

November15, 2010

*http://tinyurl.com/286hnb7

Only

15%of CIOs/CISOs

report they have used

CyberScope

8

Take Away: Need Greater Conversion – Long Way to Go Between July and November

CyberScope in Action

Most CIOs/CISOs have not yet used CyberScope.

9

Early Adopters Give High Marks

Feds who have give positive feedback on the tool.

Take Away: Passes Taste Test

100% of those who have used the tool

give it a grade of

A or BOut in Front:

1010

CyberScope – What?

However, most* are unclear on CyberScope’s goals and requirements.

Take Away: Education, Education, Education

say they do not have a clear understanding of CyberScope’s mission and goals

72%

say they do not have a clear understanding of the submission requirements

90%

*Those who have not used CyberScope

1111

Will it Make Things Better?

And, they* are unclear if the new approach will improve oversight and/or security.

Take Away: Education, Education, Education

Will changes outlined in the April 21 White House memorandum improve oversight?

Will changes outlined in the April 21 White House memorandum result in more secure Federal networks?

Unsure, 55%Yes,

28%

No, 17%

Unsure, 69%

Yes, 31%

*Those who have not used CyberScope

12

Critically, CIOs/CISOs need to see the benefits. Today, they do not anticipate cost savings from the new approach.

55%of CIOs/CISOs who have not used CyberScope say costs will increase due to

FISMA reporting and submission changes

Take Away: Price Barrier

Will it Make Things Better?

1313

Recommendations

Sell the Vision: CIOs/CISOs are open to change but need clarity on the new approach

Gain Traction With Early Adopters: Identify agencies in the lead, track progress, communicate results/benefits, and duplicate best practices

Seek Input: OMB must stay in touch with those in the trenches

If it Works, Make it Mandatory: Enforce compliance, penalize non-compliance – sounds like additional funding required

14

Methodology and Demographics

MeriTalk, on behalf of ArchSight, Brocade, Guidance Software, immixGroup, McAfee, and Netezza, conducted a survey of 34 Federal CIOs and CISOs in July 2010, collecting responses by phone and online.

Agency representation includes:

Thank You

Elizabeth Vandendriessche

MeriTalk

evandendriessche@meritalk.com

(703) 883-9000 ext. 146

TBD – McAfee

TBD@TBD

(XXX) XXX-XXXX