The White House recently released the 2012 Federal Information Security Management Act report. The report tracks agencies’ progress toward reaching the compliance targets set in 2002’s Federal Information Security Management Act (FISMA). While the report documents some improvements and an increase in spending (up a $1 billion from 2011), it also highlights areas of weaknesses that help illuminate the current government cybersecurity ecosystem.

And just like that, Shamun is back with his expanded thoughts on the GAO’s Cloud First findings. If you missed yesterday’s review of the first of the seven findings, click here. Quick recap: Earlier this month the Government Accountability Office released the results of their study on the Office of Management and Budget’s (OMB) Cloud First policy. The GAO assessed the progress of selected agencies and identified challenges they are facing in implementing the policy. Shamun covers the next three findings in today’s post and will wrap up the series with the remaining for later this week.

I attended an all-boys high school. At 16, we had no idea how to talk to women. It seems OMB is tongue-tied too when it comes to FISMA reform, CyberScope, and chatting up CIOs and CISOs. As the deadline for all agencies to use CyberScope for FISMA reporting looms – November 15, 2010 – it looks like OMB is in serious danger of going to the prom alone. A new MeriTalk study – FISMA's Facelift – reports that as of July 2010, 85 percent of Federal IT security leaders have yet to go on a first date with CyberScope. If beauty is only skin deep, let’s dig beneath the surface. Of the 85 percent “CyberScope virgins,” 72 percent don’t understand CyberScope’s mission and goals – and 90 percent don’t know how to get lucky – they’re unclear on the submission requirements. 55 percent question CyberScope’s economic benefits – asserting it will increase cost. Most damaging, Feds don’t see the value of courting. 55 percent don’t believe CyberScope will improve security oversight and 69 percent are unsure if the new approach will improve Uncle Sam’s cyber security.

"Why are agencies forced to pay twice to C&A systems?" said the exasperated and cash-strapped Federal IT exec. "If agency A wants to use a system from agency B - a system that has already been C&A'd - then agency A needs to pay for a completely new C&A. If we're spending more than 20 percent of our cyber security budget on C&A - and the average C&A costs $167,643 - shouldn't we look for efficiencies?" An observation over lunch was quickly validated by other Feds - IT execs battling with the double-headed budget and security dragon. Curious stuff. The FISMA C&A reciprocity riddle set me on a fool's errand to put a dollar figure on the cost of C&A redundancy. That said, it opened a new window on OMB's lack of transparency - quite astonishing in this era of open government.

In the ongoing saga of Federal adoption of clouds one of the sticky wickets has been the requirement by law that all Federal information systems comply with the Federal Information Security Management Act of 2002, commonly referred to as FISMA. In a very small nutshell FISMA requires that information systems comply with security guidelines that are the responsibility of the National Institute of Standards (NIST) and that these systems are monitored for vulnerabilities.