Need a little more verify to go with that trust

One notable aspect of the widely-reported launch of a Security Metrics Taskforce charged with coming up with new, outcome-based standards for measuring the effectiveness of federal agency information security efforts is a statement written by federal CIO Vivek Kundra, Navy CIO Robert Carey, and Justice CIO Vance Hitch that the group would follow a “trust but verify” approach while also fulfilling statutory requirements and driving towards real-time security awareness. This is consistent with the security posture of many federal agencies, particularly on the civilian side, that in general users and organizations can be trusted to do the right thing in terms of following policies and taking on expected responsibilities and obligations. There are many current examples (HIPAA security and privacy rules, FISMA requirements, etc.), where a major set of requirements has been enacted but no formal monitoring or auditing is put in place to make sure everyone is behaving as they should. Voluntary reporting of violations and requirements with no penalties for failing to comply can only be successful if the assumption holds that you can trust everyone to do the right thing. The new task force would go a long way towards achieving its stated goal of better protecting federal systems if the metrics it proposes include some set of requirements for auditing compliance with the appropriate security controls and management practices. If the recommended metrics do include those aspects, there may even be an opportunity for the government to define penetration testing standards and services that could be implemented across agencies to validate the effective implementation and use of the security mechanisms they select to secure their environments. Focusing on outcome-based metrics that agencies are ultimately left to their own to measure and track, even with real-time situational awareness, will fall short of hardening the federal cybersecurity infrastructure to the point where it is well-positioned to defend against the constantly evolving threats it faces.