Steven VanRoekel says FISMA reports could come to an end as CDM takes hold. (Gannett Government Media Corp)
The government’s top IT executive said he expects that agencies will soon be able to abandon their labor-intensive cyber security status reports, as required every three years by the Federal Information Security Management Act (FISMA).
U.S. CIO Steve VanRoekel said he thinks agencies instead will be able to issue automated reports from their continuous diagnostics and mitigation (CDM) systems with the push of a button that will be able to satisfy FISMA requirements. The Obama administration is pressing agencies to install CDM tools and sensors on their networks that can automatically detect security threats and vulnerabilities and work to fix them.
“My vision there is that the report out of this CDM system would actually satisfy the requirements of FISMA and not be in addition to [them],” VanRoekel said at the CFO-CIO Summit on June 3. “Effectively, [you could] go to your CDM console and hit the print button and get your FISMA report, is the vision.”
Get more insight into the changing world of cybersecurity at a free breakfast event on June 11, titled “The Next Chapter in Cybersecurity.” With DHS’s John Streufert providing a keynote address, the event focuses on CDM and ICAM. Click here to register.
Current FISMA reporting requirements are widely viewed within the federal cybersecurity community as outdated, onerous, and a wasteful use of resources. VanRoekel said FISMA “had the right intentions,” but said the current reports required by the law are “not necessarily making the highest level of security in the organization compared to what modern technology can do.”
But agencies cannot simply stop producing those reports because they are audited by their inspectors general offices and the Government Accountability Office on how well they comply with FISMA’s requirements.
VanRoekel said he has talked with officials at GAO and the IG community “about getting this ball moving forward on making sure these are compatible.”
“And so far, so good on getting everyone to nod in unison on thinking about this being a good step forward.”
Patrick Howard, a former federal chief information security officer at the Nuclear Regulatory Commission and the Department of Housing and Urban Development, said VanRoekel’s comments are sure to be welcome news to the CISO community.
“That’s something the CISOs have been looking for for at least five years,” said Howard, who is now program manager for CDM at Kratos SecureInfo of San Diego.
“That’s how CDM was built, so it would give them some relief” from the huge compliance burdens — such as audits, evaluations and reports — imposed by FISMA, he said. “Then they can use those IT security dollars elsewhere.”