Feds to Issue New Metrics to Assess Gov't InfosecMeasurement Not Your Father's FISMA Compliance Check List
But a new document being circulated by the Department of Homeland Security among agency and departmental chief information officers is different from the forms federal CIOs have had to fill out for most of the past decade to comply with the Federal Information Security Management Act. The FY 2011 Chief Information Officer FISMA Reporting Metrics would require agencies to report on their progress in automating the continuous measurement of the most critical security risks.
"What gets measured, gets done," says Alan Paller, research director at the SANS Institute, which provides IT security training. Paller characterizes the new document as "a huge improvement in federal cybersecurity, one that will result in rapid risk reduction and potentially allow the government to lead by example in showing how to manage cybersecurity effectively.
"These new metrics asses agency progress in implementing the sensors and systems needed for continuous monitoring of the small number of key controls defined by NSA (National Security Agency), DHS and the other agencies and companies that are fully aware how cyberattacks are executed and what controls are needed to block those attacks or mitigate damage."
A DHS spokesman says the department won't address the new metrics until the White House Office of Management and Budget issues new guidance on continuous monitoring, which he says will likely occur this summer.
The new metrics cover 13 areas that include system inventory, asset management, configuration management, vulnerability management, identity and access management, data protection, boundary protection, incident management, training and education, remote access, network security protocols, software assurance and continuous monitoring.
Under continuous monitoring, the metrics seek to determine how often data from more than a dozen data feeds that are being monitored. The document also asks: To what extent is the data collected, correlated, and being used to drive action to reduce risks?
In complying with FISMA regulations, the White House has been moving agencies toward continuous monitoring from the traditional check-box approach to IT security compliance (see FISMA Reporting Moves Into the 21st Century).
The fact that the new metrics are being circulated by DHS emphasizes the growing role Homeland Security is playing in directing cybersecurity in the federal government, especially among civilian agencies. Last month, proposed legislation offered by the Obama administration would codify the leadership role DHS would perform in government IT security (see White House Unveils Cybersecurity Legislative Agenda).