FISMA’s Facelift: In the Eye of the Beholder? October 4, 2010

1. FISMA’s Facelift: In the Eye of the Beholder?October 4, 2010

2. Introduction Since 2002, The Federal Information Security Management Act (FISMA) has required Federal security leaders to conduct annual reviews of their agency’s information security program. The cost is significant – $40B* since 2002. To streamline the process, the White House issued new direction focused on a new online portal, CyberScope. Will these efforts improve reporting, reduce costs, and result in more secure Federal networks? In May 2010, ArchSight, Brocade, Guidance Software, immixGroup, McAfee, and Netezza worked with MeriTalk to survey 34 CIOs and CISOs on their perceptions of the new requirements, barriers to change, and the path forward. 2 2 *Source: Congressional Testimony of Tom Carper, D.-Del, reported in GovInfoSecurity (http://www.govinfosecurity.com/articles.php?art_id=1894)

3. Contents • Key Findings • The Cost of Compliance • Continuous and Automatic Today • CyberScope 13 Recommendations • 14 Methodology and Demographics 3

4. Key Findings • Change in Federal IT security management is here: • Nearly all (97%) say they have deployed continuous and automatic monitoring for cyber threats • Few have used CyberScope, but those who have give the portal high marks: • 15% of CIOs/CISOs surveyed have used CyberScope • 100% of those who have used the tool grade it an “A” or “B” • Of those who have not used CyberScope, many are unclear about the benefits: • 69% are unsure if changes will deliver more secure Federal networks • 55% say a new submission process will increase the cost of compliance • 72% do not have a clear understanding of the mission and goals • 90% do not have a clear understanding of the submission requirements • CyberScope Path to Success: • Need to promote the tool, train users, and address funding perceptions 4 4

5. The Cost of Compliance The Federal government invests heavily in FISMA compliance and processing annually. The Cost of Compliance Source: Congressional Testimony of Tom Carper, D.-Del, reported in GovInfoSecurity (http://www.govinfosecurity.com/articles.php?art_id=1894) Only 32% of agencies received “good” or “excellent” FISMA grades in FY 2008* Take Away:Old Approach Broken 5 5 *http://www.whitehouse.gov/sites/default/files/omb/assets/reports/fy2008_fisma.pdf

6. 97% Have deployed continuous and automatic monitoring for cyber threats Continuous and Automatic Today Feds are working to stay a step ahead. Tools Feds are Using: Output from network monitoring tools Log files SIEM tools Other* (*Other responses included: HIPS, Anti-virus, IDS, firewalls, and STAT – Respondents asked to check all that apply) Take Away:Waking Up to Around the Clock Vigilance 6

7. CyberScope Fed leadership is mandating the move to more efficient and streamlined reporting approaches. November15, 2010 OMB deadline for Feds to submit FISMA reports via CyberScope* Take Away:Fast Approaching Deadlines 7 7 *http://tinyurl.com/286hnb7

8. CyberScope in Action Most CIOs/CISOs have not yet used CyberScope. Only 15% of CIOs/CISOs report they have used CyberScope Take Away:Need Greater Conversion – Long Way to Go Between July and November

9. Early Adopters Give High Marks Feds who have give positive feedback on the tool. 100% of those who have used the tool give it a grade of A or B Out in Front: Take Away:Passes Taste Test

10. CyberScope – What? However, most* are unclear on CyberScope’s goals and requirements. 72% say they do not have a clear understanding of CyberScope’s mission and goals 90% say they do not have a clear understanding of the submission requirements Take Away:Education, Education, Education 10 10 *Those who have not used CyberScope

11. Will it Make Things Better? And, they* are unclear if the new approach will improve oversight and/or security. Will changes outlined in the April 21 White House memorandum result in more secure Federal networks? Will changes outlined in the April 21 White House memorandum improve oversight? Take Away:Education, Education, Education 11 11 *Those who have not used CyberScope

12. Will it Make Things Better? Critically, CIOs/CISOs need to see the benefits. Today, they do not anticipate cost savings from the new approach. 55% of CIOs/CISOs who have not used CyberScope say costs will increase due to FISMA reporting and submission changes Take Away:Price Barrier

13. Recommendations Sell the Vision: CIOs/CISOs are open to change but need clarity on the new approach Gain Traction With Early Adopters: Identify agencies in the lead, track progress, communicate results/benefits, and duplicate best practices Seek Input: OMB must stay in touch with those in the trenches If it Works, Make it Mandatory: Enforce compliance, penalize non-compliance – sounds like additional funding required 13 13

14. Methodology and Demographics MeriTalk, on behalf of ArchSight, Brocade, Guidance Software, immixGroup, McAfee, and Netezza, conducted a survey of 34 Federal CIOs and CISOs in July 2010, collecting responses by phone and online. Agency representation includes: 14

15. Thank You TBD – McAfee TBD@TBD (XXX) XXX-XXXX Elizabeth Vandendriessche MeriTalk evandendriessche@meritalk.com (703) 883-9000 ext. 146