Taskforce Tackles New IT Security Metrics

Group to Create Measurement Focusing on Outcomes
Taskforce Tackles New IT Security Metrics
The Federal Chief Information Officers Council has established a taskforce to develop new information security performance metrics that focus on outcomes.

On the blog of the IT Dashboard, federal CIO Vivek Kundra and Navy CIO Robert Carey and Justice CIO Vance Hitch (co-chairs of the council's Information Security and Identity Management Committee) write that approaches to cybersecurity must confront new realities as threats to the nation's IT security evolve, adding:

"In order to meet the evolving challenges we now face, Federal Information Security Management Act metrics need to be rationalized to focus on outcomes over compliance. Doing so will enable new and actionable insight into agencies' information and network security postures, possible vulnerabilities and the ability to better protect our federal systems."

Besides the CIO Council, among those participating in the task force are the Council of Inspectors General on Integrity and Efficiency, National Institute of Standards and Technology, Department of Homeland Security, Department of Defense, director of National Intelligence, Government Accountability Office and the Information Security and Privacy Advisory Board.

The taskforce held its first meeting on Sept. 17. The Office of Management and Budget plans to have the taskforce develop a draft set of metrics for comment by the end of November.

According to the blog, the participants agreed that a new set of security metrics could move the agencies forward in securing their systems as "what gets measured, gets done." They discussed the various factors that will impact the development of new metrics, including:

A trust but verify approach.
Fulfilling statutory requirements.
Real-time awareness security posture.

FISMA reform legislation before Congress, the United States Information and Communication Act, takes the same tact as the taskforce, emphasizing real-time verification of IT security rather than departmental and agency compliance with cybersecurity rules.

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.