CIO Council - Chief Information Officers Council - Beta

Moving Beyond Compliance: The Status Quo Is No Longer Acceptable

September 28th, 2009

Vivek Kundra

Vivek Kundra (Federal CIO), Robert Carey (Navy CIO) and Vance Hitch (DOJ CIO)

The threats to our nations information security continue to evolve and therefore our approach to cybersecurity must confront these new realities. In order to meet the evolving challenges we now face, Federal Information Security Management Act (FISMA) metrics need to be rationalized to focus on outcomes over compliance. Doing so will enable new and actionable insight into agencies’ information and network security postures, possible vulnerabilities and the ability to better protect our federal systems.

With this in mind, we have established a taskforce to develop new metrics for information security performance for Federal agencies that are focused on outcomes. To solicit the best ideas, OMB has reached out across the Federal community, as well as to the private sector.

Participants in the taskforce include: the Federal CIO Council, the Council of Inspectors General on Integrity and Efficiency, the National Institute of Standards and Technology, the Department of Homeland Security, the Department of Defense, the Director of National Intelligence, the Government Accountability Office and the Information Security and Privacy Advisory Board.

The participants in the Security Metrics Taskforce held their inaugural meeting on September 17, 2009. OMB plans to have the taskforce develop a draft set of metrics for comment by the end of November.

The participants agreed that a new set of security metrics could move the agencies forward in securing their systems as “what gets measured, gets done.” They discussed the various factors that will impact the development of new metrics, including:

  • A trust but verify approach
  • Fulfilling statutory requirements
  • Real-time awareness security posture At the next meeting, the taskforce will begin developing potential metrics and we look forward to your input.