Government security looks to address outcomes

In an development that should come as a welcome surprise to security watchers critical of U.S. federal information security efforts as too focused on compliance (at the expense of effectiveness), the Federal CIO Council announced last week that a new task force has been established (it held its first meeting on September 17) and begun work on new metrics for information security that will focus on outcomes. This effort is the latest development in a groundswell of activity both within Congress and parts of the executive branch to revise the requirements under the Federal Information Security Management Act (FISMA) to put less emphasis on compliance with federal security guidance, and more emphasis on results from implementing security controls. Legislation in various forms of development from both the house and the senate would require a similar re-alignment of security measurement approaches, so the action by the CIO Council would seem to be partly in anticipation of such requirements being enacted in law. The collaborative group includes participants from several key agencies as well as the information security and privacy advisory board (ISPAB). The schedule for the group appears quite ambitious: the task force is expected to have a draft set of metrics available for public comment by the end of November.