Administration Eyes Tightening Security Metrics

Administration Eyes Tightening Security Metrics
The Obama administration is looking to develop metrics that would require agencies to continuously monitor the security of their information systems, moving beyond the quarterly and annual reporting required by the Federal Information Security Management Act.

The White House's intention to define new metrics was included in an annual Office of Management and Budget report to Congress that showed continued improvements in two areas of information security among 25 major agencies during fiscal year 2008, which ended Sept. 30. According to OMB, the number of agencies satisfactorily certificating and accrediting IT security programs rose 4 points to 96 percent and testing contingency plans increased 6 points to 92 percent. However, agencies properly testing security controls dipped 2 points to 93 percent. Still, the percentage of agencies testing security controls is well above the 60 percent in compliance in 2002, the year Congress enacted FISMA.

Despite the overall improvement in information security compliance, OBM says it's time to improve the way information security assurance is measured. "One goal for new metrics would be to move beyond periodic compliance reporting to more continuous monitoring of security," the 125-page report says.

Indeed, government information security experts generally agree that complying with FISMA rules doesn't necessarily assure IT systems remain secure.

It's a sentiment shared with key members of Congress, where the White House is likely to find cooperative allies to develop new metrics. Sen. Tom Carper, D.-Del., chairman of a Senate panel that provides federal government information security oversight, says he'll shortly introduce legislation to update FISMA that would move beyond paper compliance and require metrics that measure the safety of IT systems themselves.

"Too often, we have agencies who manage what we call paper compliance, rather than really addressing the security of their networks," Carper said in an interview with "We want to go beyond paper compliance. we want to extend to the best of ability to just ensure that our networks are more secure."

Fed's Cybersecurity Mission Topic of House Hearing

The 60-day examination of the government's information security programs and policies being conducted for President Obama by Melissa Hathaway, a National Security Council senior director, will be held 2 p.m. Tuesday by the House Emerging Threats and Cybersecurity Subcommittee of the Homeland Security and Government Reform Committee. Hathaway's report is due next month.

The report is expected to detail a strategic framework to ensure the government's cybersecurity initiatives are appropriately integrated, resourced and coordinated with Congress and the private sector.

"The committee views this hearing as its opportunity to provide feedback into the 60-day NSC cyber review by publicly declaring the committee's positions on what a strategic framework should look like and soliciting opinions from witnesses who have spent the last year-and-a-half conducting similar reviews," a committee statement reads.

At the hearing, the Government Accountability Office Congress' investigative arm will release an early draft of the national cybersecurity review that it's conducting for the committee. David Powner, GAO director of information management issues, also will testify.

Other witnesses slated to appear include Amit Yoran, the one-time director of U.S.-CERT and the National Cyber Security Division at Homeland Security; James Lewis, director and senior fellow for technology and public policy program at the Center for Strategic and International Studies, the Washington think tank that produced the report, Cybersecurity for the 44th Presidency; Oracle Chief Security Officer Mary Ann Davidson; and Scott Charney, Microsoft corporate vice president for trustworthy computing.

The hearing can be viewed online at the committee's website,

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.