The Federal Information Security Management Act of 2002 requires federal agencies to report on the state of their information security. The United States Office of Management and Budget released a reporting tool called CyberScope in 2009 to assist these agencies in meeting FISMA reporting requirements. CyberScope attempts to correct previous deficiencies and streamline the FISMA reporting process. BeyondTrust offers products that allow organizations to comply with these requirements.
Continuous monitoring is a process that detects compliance issues with an organization’s IS environment. The United States Department of State performs continuous monitoring on its network of 40,000 computers and 5,000 routers, which support 285 posts throughout the world. It uses the Risk Scoring Program to monitor an information system and assess its security in ten categories. The system receives a score between one and ten in each category, with one representing the highest level of security and ten representing the lowest level of security. The RSP uses these ten scores to assign a single letter grade to the IT professionals responsible for that system, with “F-” being the worst grade and “A” being the best grade. This assessment is performed at least once every two days.
The continuous-monitoring model of the RSP provides IT professionals with their degree of risk, and it also encourages a sense of competition with their peers. The State Department reports that its RSP has reduced the risk of its domestic systems by 83 percent and that of its foreign systems by 84 percent since 2008. The OMB has also implemented a security dashboard to complement CyberScope’s automated reporting capability. This dashboard helps to ensure that CyberScope submits its reports in a timely manner.
CyberScope uses the Internet to collect reports on IT security from federal agencies. This represents a fundamental change in the IT reporting method, which agencies previously performed on paper. Cyberscope currently has about 600 agency staff members who access this system through a standard interface by logging in with a personal identity verification and personal identity number. Users then enter live data and transmit it in a standard format to the OMB. The OMB then compiles this information and generates reports which it transmits to other agencies according FISMA requirements.
An information assurance vulnerability alert is a notification of a vulnerability that exists in an operating system or application software. The United States Cyber Command analyzes vulnerabilities on hosts that reside on the Global Information Grid and determines if the Department of Defense needs to issue an IAVA. This practice allows components of the DOD to take the appropriate action to minimize the security threat posed by these vulnerabilities.
The DOD uses three severity categories to classify a weakness in an information system. These categories include CAT I, CAT II and CAT III, with CAT I being the most severe and CAT III being the least severe. Certifying authorities or their designated representatives assign a DOD severity category to a system weakness after considering all mitigating factors.
FISMA requires federal agencies to perform the following activities on a recurring basis:
- Report IS data each month
- Answer security questions
- Attend accountability sessions and interviews