Agencies will receive new cybersecurity performance metrics by November.
The Chief Information Officer Council created a Security Metrics Taskforce and charged it with creating “new metrics for information security performance for federal agencies that are focused on outcomes,” according to a blog post on the council’s Web site.
The task force, which met for the first time Sept. 17, is made up of experts from the council, the inspectors general community, the National Institute of Standards and Technology, the Homeland Security Department, the Defense Department, the Director of National Intelligence, the Government Accountability Office and the Information Security and Privacy Advisory Board.
The Office of Management and Budget plans to send out the draft metrics to agencies and industry for comment by the end of November.
“The participants agreed that a new set of security metrics could move the agencies forward in securing their systems as ‘what gets measured, gets done,'” the blog states.
The taskforce says the factors that could impact the development include:
A trust but verify approach
Fulfilling statutory requirements
Real-time awareness security posture
The council’s work on new metrics come as agencies are taking a deeper look at the Consensus Audit Guidelines that were released in February by about 50 federal and industry colleagues, who detailed the top 20 security threats and the controls to mitigate them.
NIST also has updated its final version of its Special Publication 800-53, a catalog of cybersecurity practices for agencies.
The new guidance brings together civilian and defense standards, and gives agencies a wider menu of choices for securing their systems.
DHS also is making standards and metrics a key piece of its governmentwide approach to cybersecurity.
Bruce McConnell, the counselor to the National Protection and Programs Directorate (NPPD) Deputy Under Secretary Phil Reitinger, says those two areas along with authentication are keys to improving cybersecurity across the government.
John Streufert, chief information security officer at the State Department, says his agency is shifting its metrics more toward return on investment and continuous monitoring. State counts the risk scores of all its offices based on how they mitigate cyber risks.