Continuous and automated cybersecurity status reporting will become a new requirement for federal civilian agencies under new Office of Management and Budget FISMA guidance unveiled in an April 21 memo. And, as part of those changes, the Homeland Security Department will have a greatly expanded role in federal cybersecurity, said federal Chief Information Office Vivek Kundra while speaking to reporters.

"DHS is going to be driving this across the federal enterprise...and the data feeds. And also these data feeds are going to be used to actually look for patterns, as far as vulnerabilities are concerned, very similar to what we've done in terms of the IT dashboard, to be able to look at which areas do we need to spend our energy on," Kundra said. The memo states that "DHS will monitor and report agency progress to ensure the effective implementation of this guidance."

As early as this June, some federal agencies must start using a DHS-managed tool called CyberScope to report metrics from cybersecurity management tools, Kundra said.

The first wave of federal agencies to use CyberScope to report real time metrics will include NASA, and the Treasury, State and Veterans Affairs departments, Kundra said. All civilian federal agencies will come under the CyberScope mandate, according to the OMB memo.

The intent is to create a near real-time common operating picture of cybersecurity across the federal government, Kundra said. Use of CyberScope doesn't supplant the annual reporting requirement of FISMA, said Howard Schmidt, the U.S. cybersecurity coordinator, who also spoke to reporters.

The report "will be based on real-time information, as opposed to a snap-shot in time," Schmidt said. A common criticism of FISMA has been that it forces agencies to spend resources on costly annual reports. Amalgamated real time data will allow selective focusing on current issues and in some cases on resource reallocation, Schmidt said.

CyberScope is an online tool developed by the Justice Department and DHS and is already in use to collect data for this year's FISMA reports, Kundra said. "The shift that we're making here is moving away from benchmarking and qualitative data to actually system to system data so we can get information that gives us insight into government, enterprise-wide security posture," he added.

For more:
- listen to the April 21 Vivek Kundra and Howard Schmidt press call
- read the April 21 OMB memo detailing changes to FISMA reporting (.pdf)
- read a blog post by Vivek Kundra on the new guidance

Related Articles:
Federal cybersecurity staff less confident than bosses about cyber defense
FISMA blasted at House hearing
OMB wants real-time cybersecurity