FISMA compliance to require monthly reports

Share this article:

Federal agencies soon will be required to report on their information security health on a monthly basis, instead of annually, according to a memo from the federal Office of Management and Budget.

As part of their compliance with the Federal Information Security Management Act (FISMA), agencies must, beginning next month, submit data from their automated security management tools into CyberScope, an application that went online in 2009, and is used to securely and efficiently report security-related information and provide analysis.

"This shift from the once-a-year FISMA reporting process to a monthly reporting of key metrics through CyberScope allows security practitioners to make decisions using more information – delivered more quickly than ever before," OMB Director Jacob Lew wrote in the memo, issued last week.

The monthly requirements also include answering questions in CyberScope that address risk. They are meant to determine whether an agency effectively is implementing its security functionality. In addition, under the reporting mandates, agencies must work with government specialists through sessions and interviews to improve their security stance.

Marcus Sachs, a former U.S. government cyber official, said increased reporting requirements, in both the private and public sector, tend to occupy man-hours that would be better served working the problem. But he said that forcing senior management to sign off on regular reports could shine a light on the need for more security resources.

"I think it one sense, increasing the [reporting] burden does take away from the few people who are really good at cybersecurity," he told SCMagazineUS.com on Monday. "On the other hand, it does increase the awareness of the senior leaders. Nobody is going to sign off on it unless it's accurate."

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

FilmOn accuses DoubleVerify of distributing malware

In readying a libel suit against DoubleVerify, FilmOn says it discovered that the firm deliberately distributed malware.

Schumer: Feds should do 'top to bottom' probe of online drug marketplaces

Sen. Charles Schumer of New York has called on federal law enforcement officials to stop "copy cat websites."

ShellShock vulnerability exploited in SMTP servers

Researchers at Trend Micro found that attackers were targeting Simple Mail Transfer Protocol (SMTP) servers to execute malicious code and an IRC bot.