Survey: Federal IT leaders lack confidence in CyberScope

According to the result of a new survey published by MeriTalk, an online community for government IT professionals, 85 percent of federal information security leaders have not utilized CyberScope, an online reporting tool designed to reduce the amount of wasted dollars the government spends annually on cyber security compliance reports. Of those that have used CyberScope, the survey entitled "FISMA's Facelift: In the Eye of the Beholder," found that everyone has given the tool an "A" or "B" rating.

In 2002, Congress passed the Federal Information Security Management Act or FISMA, which was designed to create security standards surrounding the use of the federal government's IT network. To accomplish this, the law requires federal agencies to conduct annual audits of their cyber security programs and submit that information to the Office of Budget and Management.

In an effort to streamline that process, the Obama administration created CyberScope, a tool designed to allow agencies to submit their compliance reports more efficiently and therefore reduce the amount of money that the government spends annually on these compliance efforts.

According to Sen. Tom Carper (D-Del.), who testified before a Senate subcommittee last year, the government spends nearly $2.3 billion annually on FISMA requirements and has spent $40 billion since the law was enacted.

Though the OMB established a deadline of Nov. 15, 2010 for all agencies to submit compliance reports via CyberScope, Elizabeth Vandendriessche, online community manager for MeriTalk, said that the government has a lot of work to do when it comes to instilling confidence in their IT security leaders about the effectiveness of the tool.

"What we decided to do is go out to the CIOs (chief information officers) and CISOs (chief information security officers) to kind of get a temperature check for what they understand about the requirements of CyberScope submitting, and what they understand about the goals, mission and benefits of CyberScope are," she said.

According to Vandendriessche, the community of federal CIOs and CISOs consists of about 40 to 45 people and 34 of them were included in the survey.

Of those that have not used CyberScope, the survey found:

- 72 percent did not understand CyberScope's mission and goals
- 90 percent did not have a clear understanding about CyberScope's submission requirements
- 55 percent of respondents were unsure if the process would improve security oversight
- 69 percent were unsure if the tool would result in more secure networks
- 55 percent actually thought that the use of CyberScope would increase submission costs for compliance reports.

Vandendriessche says the key for the government in gaining compliance among IT leaders in using CyberScope is communication.

"Ultimately, I think that DHS (the Department of Homeland Security) and OMB need to provide a little bit more clarity for this community about the CyberScope approach, the goals, the mission requirements and what they hoped to have changed once CyberScope is in full swing," she said. "Additionally, there have been a couple of early adopters (of CyberScope), some agencies that have gone through the process. I think they need to identify those early adopters and exemplify the best practices."

Vandendriessche added that communication between the IT community and the agencies responsible for enforcing the use of CyberScope needs to be a "two-way street" with DHS and OMB being open to hearing the challenges faced by these information managers in utilizing the tool.

"I think that there is a natural aversion to change anytime there is a new approach or new tool and there is going to be a lot of questions," she said. "DHS and OMB really need to address those questions with open communication, training and guidance. Once they do that and they provide more general information about the tool, folks will be more inclined to get in there and see what happens for themselves."

For another take on the results of this study, read Steve Lasky's "My Point of View" column in this month's issue of Security Technology Executive