Federal Taskforce To Focus On Cybersecurity Metrics

The U.S. government plans to introduce standard metrics for measuring the effectiveness of its cybersecurity efforts by the end of the year.

The move, announced by federal CIO Vivek Kundra, along with the CIOs of the Navy and Department of Justice, comes at a time where the Federal Information Security Management Act, the government's main cybersecurity regulation, has been criticized for being inadequate and incomplete in terms of performance measurement.

"FISMA metrics need to be rationalized to focus on outcomes over compliance," Kundra wrote in a blog post announcing the move. "Doing so will enable new and actionable insight into agencies' information and network security postures, possible vulnerabilities and the ability to better protect our federal systems."

In order to develop the standards, the government has established the Security Metrics Taskforce, which will draw on best practices from federal agencies and the private sector.

The task force includes representatives of the Federal CIO Council, Council of Inspectors General on Integrity and Efficiency, National Institute of Standards and Health, Homeland Security, Department of Defense, Director of National Intelligence, Government Accountability Office, and the Information Security and Privacy Advisory Board. It met for the first time on September 17 and expects to release draft metrics by the end of November.

Kundra has been a proponent of performance metrics since taking office earlier this year. When the task force met last month, he wrote in the blog post, participants agreed that any new metrics would focus on "a trust but verify approach" to cybersecurity, meeting legal requirements, and a "real-time awareness security posture."

There are several federal efforts to strengthen cybersecurity metrics in place, including at the Department of Homeland Security, which holds a lot of pull in government-wide cybersecurity efforts.

"There's a need to build up a set of metrics that will enable the people throughout government and industry to make better decisions about cybersecurity, so they don't do this or that based on religion, but based on data," deputy undersecretary of the Department of Homeland Security for the National Protection and Programs Directorate and director of the National Cyber Security Center Phil Reitinger said in a recent interview with InformationWeek. "Cybersecurity needs to move towards a full-fledged scientific discipline."

InformationWeek has published an in-depth report on smartphone security. Download the report here (registration required).