Experts: Better Federal Cybersecurity Reporting Needed
Security analysts said Tuesday that the federal government needs a better system for assessing and reporting cybersecurity threats, but real progress is impossible without more money for new programs, Nextgov.com reported.
During a conference in Washington hosted by software solutions company SAS, security analysts agreed the 2002 Federal Information Security Management Act, which requires agencies to submit comprehensive security reports on a semi-regular basis, no longer provides the guidance necessary to effectively monitor cyber threats. Critics have called the current process burdensome and a distraction from security.
White House Cybersecurity Coordinator Howard Schmidt and federal Chief Information Officer Vivek Kundra recently outlined a new monitoring approach that will require agencies to regularly feed information about their systems, software, security training and user access into a central Web-based portal called CyberScope. Agencies can begin using the tool in June, and monthly reporting will be required starting in 2011, according to the Office of Management and Budget memorandum issued last month.
FISMA made sense at the time it was written because some agencies paid no attention to cyber threats, said former Rep. Tom Davis, R-Va., who is now director of federal government affairs at Deloitte and Touche. "No one understood that there were no safeguards and hackers were five or six steps ahead of us," said Davis, a former chairman of the House Oversight and Government Reform Committee. "The procedures brought some awareness to government."
But analysts agree the guidelines are outdated, and government needs to move from a reactive approach to a preemptive one. "FISMA got us to a certain bar, but the reality is that we're more compromised today than we've ever been," said Travis Reese, executive vice president and chief operating officer of Mandiant Corp., which offers intelligence security solutions.
Government and industry should move away from the mindset in which they could pass FISMA audits but still be vulnerable to security threats, said Bud Horton, executive director of Accenture Technology Consulting-Security, adding too many organizations get hung up on checklists without focusing on actual security outcomes.
"It's nice to check all the boxes and have procedures, but does it really work?" Davis said. To read more, click here.
Join the Discussion
The National Journal Group has the right (but not the obligation) to monitor the comments and to remove any materials it deems inappropriate.
Comments powered by Disqus