Shows & Panels
- The 2014 Big Picture on Cyber Security
- AFCEA Answers
- Ask the CIO
- Connected Government
- Consolidating Mission-critical Systems
- Constituent Servicing
- The Data Privacy Imperative: Safeguarding Sensitive Data
- Eliminating the Pitfalls: Steps to Virtualization in Government
- Federal Executive Forum
- Federal Tech Talk
- Government Cloud Brokerage: Who, What, When, Where, Why?
- Government Mobility
- The Intersection: Where Technology Meets Transformation
- Maximizing ROI Through Data Center Consolidation
- Mobile Device Management
- The Modern Federal Threat Landscape
- Moving to the Cloud. What's the best approach for me
- Navigating Tough Choices in Government Cloud Computing
- Satellite Communications: Acquiring SATCOM in Tight Times
- Transformative Technology: Desktop Virtualization in Government
- Understanding the Intersection of Customer Service and Security in the Cloud
Shows & Panels
CIO Council taskforce to change security metrics
Friday - 10/2/2009, 5:02pm EDT
Agencies will receive new cybersecurity performance metrics by November.
The Chief Information Officer Council created a Security Metrics Taskforce and charged it with creating "new metrics for information security performance for federal agencies that are focused on outcomes," according to a blog post on the council's Web site.
The task force, which met for the first time Sept. 17, is made up of experts from the council, the inspectors general community, the National Institute of Standards and Technology, the Homeland Security Department, the Defense Department, the Director of National Intelligence, the Government Accountability Office and the Information Security and Privacy Advisory Board.
The Office of Management and Budget plans to send out the draft metrics to agencies and industry for comment by the end of November.
"The participants agreed that a new set of security metrics could move the agencies forward in securing their systems as 'what gets measured, gets done,'" the blog states.
The taskforce says the factors that could impact the development include:
- A trust but verify approach
- Fulfilling statutory requirements
- Real-time awareness security posture
The council's work on new metrics come as agencies are taking a deeper look at the Consensus Audit Guidelines that were released in February by about 50 federal and industry colleagues, who detailed the top 20 security threats and the controls to mitigate them.
NIST also has updated its final version of its Special Publication 800-53, a catalog of cybersecurity practices for agencies.
The new guidance brings together civilian and defense standards, and gives agencies a wider menu of choices for securing their systems.
DHS also is making standards and metrics a key piece of its governmentwide approach to cybersecurity.
Bruce McConnell, the counselor to the National Protection and Programs Directorate (NPPD) Deputy Under Secretary Phil Reitinger, says those two areas along with authentication are keys to improving cybersecurity across the government.
John Streufert, chief information security officer at the State Department, says his agency is shifting its metrics more toward return on investment and continuous monitoring. State counts the risk scores of all its offices based on how they mitigate cyber risks.
On the Web:
CIO Council -- Security blog post
FederalNewsRadio -- New guidelines to close 20 biggest cyber holes
FederalNewsRadio -- NIST releases final cybersecurity recommendations
(Copyright 2009 by FederalNewsRadio.com. All Rights Reserved.)