Taskforce Tackles New IT Security MetricsGroup to Create Measurement Focusing on Outcomes
On the blog of the IT Dashboard, federal CIO Vivek Kundra and Navy CIO Robert Carey and Justice CIO Vance Hitch (co-chairs of the council's Information Security and Identity Management Committee) write that approaches to cybersecurity must confront new realities as threats to the nation's IT security evolve, adding:
"In order to meet the evolving challenges we now face, Federal Information Security Management Act metrics need to be rationalized to focus on outcomes over compliance. Doing so will enable new and actionable insight into agencies' information and network security postures, possible vulnerabilities and the ability to better protect our federal systems."
Besides the CIO Council, among those participating in the task force are the Council of Inspectors General on Integrity and Efficiency, National Institute of Standards and Technology, Department of Homeland Security, Department of Defense, director of National Intelligence, Government Accountability Office and the Information Security and Privacy Advisory Board.
The taskforce held its first meeting on Sept. 17. The Office of Management and Budget plans to have the taskforce develop a draft set of metrics for comment by the end of November.
According to the blog, the participants agreed that a new set of security metrics could move the agencies forward in securing their systems as "what gets measured, gets done." They discussed the various factors that will impact the development of new metrics, including:
FISMA reform legislation before Congress, the United States Information and Communication Act, takes the same tact as the taskforce, emphasizing real-time verification of IT security rather than departmental and agency compliance with cybersecurity rules.