The new metrics have a strong emphasis on real-time monitoring. Critics have long faulted the government's cybersecurity compliance efforts under the Federal Information Security Management Act as focusing too heavily on metrics that have little to with actual operational security, like whether an agency has tested its contingency plan.
"These metrics represent a new approach, which focuses on improving security, not just compliance," NIST said in a statement on its Web site. "These metrics should encourage agencies to take concrete steps to improve their security posture."
There are four new categories of metrics, including remote access management, data-level controls, identity and access management, and real-time security awareness and management, as well as a focus on monitoring tools.
For example, the metrics will ask whether the agency can provide a real-time data feed of its asset inventory of all devices connected to its networks and all the software installed on those devices. Agencies will be asked how often they scan their networks, what kind of requirements and controls they have in place for remote access, what kinds of threats they monitor for and how, whether the agency participates in important optional efforts like US-CERT briefings and if not why not, and whether training covers specific technologies.
The new metrics will be made part of annual FISMA metrics that agencies have been reporting for years, which this year for the first time are being reported automatically through the OMB's new Cyberscope tool rather than via spreadsheets, paperwork, and other non-standard means.