Cybersecurity Metrics Coming For Federal Agencies

Federal agencies may have to report a number of new cybersecurity metrics to the Office of Management and Budget, according to a draft of proposed cybersecurity performance metrics posted by the OMB and the National Institute of Standards and Technology. The new metrics have a strong emphasis on real-time monitoring. Critics have long faulted the government's cybersecurity compliance efforts under the Federal Information Security Management Act as focusing too heavily on metrics that have little to with actual operational security, like whether an agency has tested its contingency plan. "These metrics represent a new approach, which focuses on improving security, not just compliance," NIST said in a statement on its Web site. "These metrics should encourage agencies to take concrete steps to improve their security posture." There are four new categories of metrics, including remote access management, data-level controls, identity and access management, and real-time security awareness and management, as well as a focus on monitoring tools.