The U.S. Department of Homeland Security, National Cyber Security Division, issued the FY 2011 CIO FISMA Reporting guidelines which require agencies to report on their progress in automating the continuous measurement of their most critical security risks.
The idea is that you can only improve what you can measure. And by requiring agencies to comply with standard guidelines, overall security can be improved.
The new metrics cover 13 areas that include system inventory, asset management, configuration management, vulnerability management, identity and access management, data protection, boundary protection, incident management, training and education, remote access, network security protocols, software assurance and continuous monitoring.
Some of the detail reporting requirements include the number of agency and contractor operated systems categorized at high, moderate or low impact levels for a security breach; individual assets including laptops and personal mobile devices as well as routers in the network and their ability to encrypt data.
Agencies also are to report on their ability to remotely detect and block unauthorized software on the network, including their capability to use the Common Vulnerabilities and Exposures database.
President Obama’s White House blog in May is consistent with this latest policy update in that he states:
“We count on computer networks to deliver our oil and gas, our power and our water. We rely on them for public transportation and air traffic control… But just as we failed in the past to invest in our physical infrastructure – our roads, our bridges and rails – we’ve failed to invest in the security of our digital infrastructure… This status quo is no longer acceptable – not when there’s so much at stake. We can and we must do better. – President Obama”
Compare your internal risk assessments and security strategy by accessing the document here,