Measuring What Matters – New Seurity Framework

Measuring What Matters: Reducing Risk by Rethinking How We Evaluate Cybersecurity

After Congress failed to pass cybersecurity legislation last year, President Barack Obama introduced an executive order that focuses on security standards, information sharing and privacy protections. Those directives are now in the early stages of going into effect. Lawmakers have vowed to take up cyber legislation again this year, but in the meantime, a new report offers a framework for federal, state and local agencies to get ahead on cybersecurity.

SafeGov issued the report, titled “Measuring What Matters: Reducing Risk by Rethinking How We Evaluate Cybersecurity” in conjunction with the National Academy of Public Administration at an event March 26, 2013.

The document states that “despite the guidance of experts and millions of taxpayer dollars, federal information systems remain critically vulnerable to breaches and cyberattacks. This approach will strengthen the security of government information systems and improve the overall management of government resources by focusing scarce resources on the areas that pose the highest risks to agencies’ missions.”

The report does not call for new cybersecurity legislation, but instead offers a road-map for transforming compliance procedures within the existing Federal Information Security Management Act (FISMA).

The governing agencies should focus more on implementing critical security controls & automated continuous monitoring, diagnostics and mitigation; estimating risk on continuous basis; and ensuring mechanisms required for testing and verifying that critical security controls are effective.