Federal cyber security oversight slowly moving towards automation
While the information required to be submitted for this fall’s information systems security reporting under the Federal Information Security Management Act (FISMA) hasn’t changed significantly, OMB announced in a memorandum last week that FISMA reports will henceforth be submitted via an online data collection and reporting tool, rather than the spreadsheets used in past years. This is certainly a step in the right direction, and is a natural development given the declaration of FISMA reporting as one of the key services that could be provided to government agencies as a centralized service, rather than having every agency maintain its own reporting capability. Under OMB’s Information System Security Line of Business (ISS LOB), the Department of Justice and Environmental Protection Agency have been designated as service providers for FISMA reporting (the other ISS LOB service is security awareness training, provided by the Department of Defense, the Office of Personnel Management, and a joint Department of State-US Agency for International Development effort), so to the extent other agencies make use of these centralized services, the number of sources of FISMA report information will shrink significantly. Automating FISMA report submissions is also greatly simplified by consolidating the system instances used to collect the data and produce the reports. ISS LOB partner agencies gave every indication that one benefit of centralizing FISMA reporting would be greater automation, but it is important to recognize that the OMB memorandum applies to all agencies, and mandates use of the new submission mechanism for all agencies (the reporting deadline has been pushed back to mid-November to give agencies some time to adapt to the new format).
The initial beneficiary of this change is OMB. There has long been some value in having FISMA report data loaded into databases from which it can be associated to other relevant agency information submitted to OMB through other channels and processes. Under the Obama administration and especially under the direction of federal CIO Vivek Kundra, OMB is working with agencies to try to minimize the amount of overlapping or duplicative information requested in data calls or required submissions. For example, the Exhibit 300 business case justification form agencies must use to report their major (i.e., over $10 million) IT investments no longer requires information system security and privacy information to be included; instead, agencies are directed to ensure that FISMA reports include valid IT investment unique identifiers for each information system, which will allow each IT investment to be associated with relevant system-level security and privacy information submitted through the FISMA reporting process. This not only decreases the information reporting burden on agencies, but in theory also will improve data quality by replacing multiple (potentially conflicting) submissions of the same information with a single submission drawn from the authoritative data source for the information in question. This puts additional pressure on agencies and OMB to ensure that the linking fields (essentially the foreign keys in the database tables) used to associate data sets reported separately are consistently used across agencies.