Shows & Panels
- Accelerate and Streamline for Better Customer Service
- Ask the CIO
- The Big Data Dilemma
- Carrying On with Continuity of Operations
- Client Virtualization Solutions
- Data Protection in a Virtual World
- Expert Voices
- Federal Executive Forum
- Federal IT Challenge
- Federal Tech Talk
- Feds in the Cloud
- Health IT: A Policy Change Agent
- Improving Healthcare Outcomes through IT Policy
- IT Innovation in the New Era of Government
- Making Dollars And Sense Out of Data Center Consolidation
- Navigating the Private Cloud
- One Step to the Cloud, Two Steps Toward Innovation
- Path to FDCCI Compliance
- Take Command of Your Mobility Initiative
Shows & Panels
CIO Council taskforce to change security metrics
Friday - 10/2/2009, 5:02pm EDT
Agencies will receive new cybersecurity performance metrics by November.
The Chief Information Officer Council created a Security Metrics Taskforce and charged it with creating "new metrics for information security performance for federal agencies that are focused on outcomes," according to a blog post on the council's Web site.
The task force, which met for the first time Sept. 17, is made up of experts from the council, the inspectors general community, the National Institute of Standards and Technology, the Homeland Security Department, the Defense Department, the Director of National Intelligence, the Government Accountability Office and the Information Security and Privacy Advisory Board.
The Office of Management and Budget plans to send out the draft metrics to agencies and industry for comment by the end of November.
"The participants agreed that a new set of security metrics could move the agencies forward in securing their systems as 'what gets measured, gets done,'" the blog states.
The taskforce says the factors that could impact the development include:
- A trust but verify approach
- Fulfilling statutory requirements
- Real-time awareness security posture
The council's work on new metrics come as agencies are taking a deeper look at the Consensus Audit Guidelines that were released in February by about 50 federal and industry colleagues, who detailed the top 20 security threats and the controls to mitigate them.
NIST also has updated its final version of its Special Publication 800-53, a catalog of cybersecurity practices for agencies.
The new guidance brings together civilian and defense standards, and gives agencies a wider menu of choices for securing their systems.
DHS also is making standards and metrics a key piece of its governmentwide approach to cybersecurity.
Bruce McConnell, the counselor to the National Protection and Programs Directorate (NPPD) Deputy Under Secretary Phil Reitinger, says those two areas along with authentication are keys to improving cybersecurity across the government.
John Streufert, chief information security officer at the State Department, says his agency is shifting its metrics more toward return on investment and continuous monitoring. State counts the risk scores of all its offices based on how they mitigate cyber risks.
On the Web:
CIO Council -- Security blog post
FederalNewsRadio -- New guidelines to close 20 biggest cyber holes
FederalNewsRadio -- NIST releases final cybersecurity recommendations
(Copyright 2009 by FederalNewsRadio.com. All Rights Reserved.)