- The Washington Times - Sunday, October 3, 2010

Fewer than one in five information technology chiefs in the federal government have tried CyberScope, a mandatory new system for reporting on information security in their agencies — and while those who have used the system praise it, most of the rest doubt the benefits, according to a survey to be published Monday.

The survey of the chief information officers (CIOs) from 34 Cabinet-level departments and other agencies was conducted on behalf of several computer security companies by MeriTalk — a firm that offers a social networking forum to government and private-sector executives working in government IT.

The survey found that 15 percent of CIOs had tried CyberScope, even though its use becomes mandatory on Nov. 15. Although who that had used the system rated it an “A” or “B” for performance, the large majority who hadn’t used it were doubtful of its purpose and suspicious of its effectiveness.

Nearly three quarters of this group — 72 percent — said they do not have a clear understanding of CyberScope’s mission and goals; more than two-thirds — 69 percent — were unsure the change would improve security; and more than half — 55 percent — said they feared the system would increase costs.

“It’s the ‘show me’ factor,” Ed White, director of business development for McAfee Inc., one of the survey’s sponsors, told The Washington Times. “You have a large subset of people who still aren’t sure.”

Cyberscope is the latest effort to improve the functioning of FISMA, as the 2002 Federal Information Security Management Act is known inside the Beltway. FISMA, which critics decry as a box-ticking exercise, requires federal CIOs to report on — and agency inspectors general to audit — dozens of security measures every year.

At a hearing last year of a Senate Homeland Security & Governmental Affairs subcommittee on federal financial management and government information, the panel’s chairman, Sen. Thomas Carper, Delaware Democrat, said that meeting FISMA requirements cost about $2.3 billion every year and that the federal government had spent more than $40 billion on implementing the law since it was enacted in 2002.

The administration’s information technology chief, Vivek Kundra, told the hearing that the paper-based reporting system agencies were using at that time was “laborious, time consuming and unsecured.”

“The criticism of FISMA was always that it was a paperwork exercise and [that the reports it produced were] obsolete almost as soon as [they are] complete,” Mr. White said.

CyberScope, which allows agencies to report through a secure online portal, would be “the performance-based solution to years of inefficient and unsecured collection of agency security data,” Mr. Kundra said during the hearing last year.

Cyberscope was “billed … as a silver bullet,” Mr. White said.

In reality, it was “not the panacea” but was a way to try to “push forward the idea that all agencies should move towards the implementation of continuous monitoring” of their computer security, he added.

In the future, he said, agencies would be able to automate the data-collection process for CyberScope. By moving toward more automated reporting, CyberScope potentially “will allow the departments and agencies to focus more on outcome-driven security metrics rather than [just] a compliance exercise,” he said.

Mr. White said the survey, which was conducted in July, may have “crossed paths” with a push from the Department of Homeland Security to educate officials about the system. “There was information [about CyberScope] available before, but it wasn’t overly clear,” he said. “Now they have started really pushing it.”

A Homeland Security spokeswoman declined to comment ahead of the report’s publication.



Click to Read More

Click to Hide