The results a study that examined Federal chief information officers’ (CIO) and chief information security officers’ (CISO) perceptions and usage experiences for CyberScope was released today.
CyberScope is the new Federal Information Security Management Act’s (FISMA) online reporting created by the Obama administration to streamline the reporting process, enhance analysis, and reduce the $2.3 billion the federal government spends on compliance each year.
The report, conducted by MeriTalk and underwritten by ArcSight, Brocade, Guidance Software, McAfee, Netezza, and immixGroup, revealed that of July, 85 percent of Fed security leaders have not utilized the tool. The Office of Management and Budget (OMB) established November 15, 2010 as the deadline for Federal agencies to submit FISMA reports via CyberScope. Of those who have used CyberScope, however, 100 percent give the tool an “A” or “B” grade. While this small number of Fed users award CyberScope high marks, those who have not used the tool question if it will meet its ultimate goals of cost savings and increased security.
Of CIOs and CISOs that have not used CyberScope, findings include:
• Uncertainty Abounds: 72 percent assert that they do not have a clear understanding of CyberScope’s mission and goals and 90 percent do not have a clear understanding of the submission requirements
• Security Skepticism: 55 percent of respondents are unsure if the new submission process will improve security oversight. Additionally, 69 percent are unsure if the new approach will result in more secure Federal networks
• Cost Savings Unlikely: 55 percent state that CyberScope’s changes will increase submission costs
The study shows that CIOs/CISOs are open to change but that OMB must increase communication, clarify submission requirements, and provide training for the reporting protocol shift in order to achieve CyberScope’s goals of enhanced oversight and reporting simplification. In addition, OMB needs to leverage early-adopter case studies to communicate track-record success and exemplify the tool’s benefits and results to the 85 percent of Feds that have not yet used CyberScope.
“November is right around the corner and Feds should realize the value in embracing this new FISMA reporting tool,” said Tom Conway, director of Federal business development, McAfee. “Cyber leaders must follow NASA’s and State’s best practices to capitalize on CyberScope’s benefits and realize more secure networks for America. We are working diligently with our Federal customers to help leverage their current large investments in security solutions to meet this new compliance mandate.”
“The administration is all about transparency – and this study provides critical insight from Federal cyber security stakeholders,” said Steve O’Keeffe, founder, MeriTalk. “You only get one opportunity to make a first impression. Vivek Kundra first introduced the notion of CyberScope in Senate testimony last fall. Clearly FISMA needs reform. That said, the communication about that new approach has been spotty at best since that time. OMB must embrace the lessons learned from the IT Dashboard. OMB must clearly communicate CyberScope’s goals, progress, value, and associated measurement framework to Fed cyber security stakeholders to make this program a winner – and if OMB fails, America is the loser.”
In July 2010, 34 Federal CIOs and CISOs were surveyed to create the report, “FISMA’s Facelift: In the Eye of the Beholder?” — The full results of the study are available here.
