1. FISMA’s Facelift: In the Eye of the Beholder? October 4, 2010

2. 22 Introduction Since 2002, The Federal Information Security Management Act (FISMA) has required Federal security leaders to conduct annual reviews of their agency’s information security program. The cost is significant – $40B* since 2002. To streamline the process, the White House issued new direction focused on a new online portal, CyberScope. Will these efforts improve reporting, reduce costs, and result in more secure Federal networks? In May 2010, ArchSight, Brocade, Guidance Software, immixGroup, McAfee, and Netezza worked with MeriTalk to survey 34 CIOs and CISOs on their perceptions of the new requirements, barriers to change, and the path forward. *Source: Congressional Testimony of Tom Carper, D.-Del, reported in GovInfoSecurity (http://www.govinfosecurity.com/articles.php?art_id=1894) New CyberScope Reporting Portal: Interactive tool to support FISMA reporting Launched October 2009 Designed to streamline reporting, enhance analysis, reduce costs Source: ttp://www.govinfosecurity.com/articles.php?art_id=1894 New White House Guidance: April 21, 2010 memo emphasizes need for continuous monitoring Identifies CyberScope as the platform for FY 2010 FISMA submissions Source: http://tinyurl.com/286hnb7

3. 3 Contents 4Key Findings 5The Cost of Compliance 6Continuous and Automatic Today 7CyberScope 13Recommendations 14 Methodology and Demographics

4. 44 Key Findings Change in Federal IT security management is here: Nearly all (97%) say they have deployed continuous and automatic monitoring for cyber threats Few have used CyberScope, but those who have give the portal high marks: 15% of CIOs/CISOs surveyed have used CyberScope 100% of those who have used the tool grade it an “A” or “B” Of those who have not used CyberScope, many are unclear about the benefits: 69% are unsure if changes will deliver more secure Federal networks 55% say a new submission process will increase the cost of compliance 72% do not have a clear understanding of the mission and goals 90% do not have a clear understanding of the submission requirements CyberScope Path to Success: Need to promote the tool, train users, and address funding perceptions

5. 55 The Cost of Compliance The Federal government invests heavily in FISMA compliance and processing annually. Take Away: Old Approach Broken Source: Congressional Testimony of Tom Carper, D.-Del, reported in GovInfoSecurity (http://www.govinfosecurity.com/articles.php?art_id=1894) FISMA C&A Processes FISMA AuditingTotal Spent Since FISMA Enacted $1.3B annually $1B annually $40B since 2002 The Cost of Compliance Only 32% of agencies received “good” or “excellent” FISMA grades in FY 2008* *http://www.whitehouse.gov/sites/default/files/omb/assets/reports/fy2008_fisma.pdf

6. 6 Tools Feds are Using: Other* SIEM tools Log files Output from network monitoring tools (*Other responses included: HIPS, Anti-virus, IDS, firewalls, and STAT – Respondents asked to check all that apply) Feds are working to stay a step ahead. Take Away: Waking Up to Around the Clock Vigilance Continuous and Automatic Today 97% Have deployed continuous and automatic monitoring for cyber threats

7. OMB deadline for Feds to submit FISMA reports via CyberScope* 77 CyberScope Fed leadership is mandating the move to more efficient and streamlined reporting approaches. Take Away: Fast Approaching Deadlines November 15, 2010 * http://tinyurl.com/286hnb7

8. Only 15% of CIOs/CISOs report they have used CyberScope 8 Take Away: Need Greater Conversion – Long Way to Go Between July and November CyberScope in Action Most CIOs/CISOs have not yet used CyberScope.

9. 9 Early Adopters Give High Marks Feds who have give positive feedback on the tool. Take Away: Passes Taste Test 100% of those who have used the tool give it a grade of A or B Out in Front:

10. 10 CyberScope – What? However, most* are unclear on CyberScope’s goals and requirements. Take Away: Education, Education, Education say they do not have a clear understanding of CyberScope’s mission and goals 72% say they do not have a clear understanding of the submission requirements 90% *Those who have not used CyberScope

11. 11 Will it Make Things Better? And, they* are unclear if the new approach will improve oversight and/or security. Take Away: Education, Education, Education Will changes outlined in the April 21 White House memorandum improve oversight? Will changes outlined in the April 21 White House memorandum result in more secure Federal networks? *Those who have not used CyberScope

12. 12 Critically, CIOs/CISOs need to see the benefits. Today, they do not anticipate cost savings from the new approach. 55% of CIOs/CISOs who have not used CyberScope say costs will increase due to FISMA reporting and submission changes Take Away: Price Barrier Will it Make Things Better?

13. 13 Recommendations Sell the Vision: CIOs/CISOs are open to change but need clarity on the new approach Gain Traction With Early Adopters: Identify agencies in the lead, track progress, communicate results/benefits, and duplicate best practices Seek Input: OMB must stay in touch with those in the trenches If it Works, Make it Mandatory: Enforce compliance, penalize non-compliance – sounds like additional funding required

14. 14 Methodology and Demographics MeriTalk, on behalf of ArchSight, Brocade, Guidance Software, immixGroup, McAfee, and Netezza, conducted a survey of 34 Federal CIOs and CISOs in July 2010, collecting responses by phone and online. Agency representation includes:

15. Thank You Elizabeth Vandendriessche MeriTalk evandendriessche@meritalk.com (703) 883-9000 ext. 146 TBD – McAfee TBD@TBD@ (XXX) XXX-XXXX