Measuring What Matters: Reducing Risk by Rethinking How We Evaluate Cybersecurity
After Congress failed to pass cybersecurity legislation last year, President Barack Obama introduced an executive order that focuses on security standards, information sharing and privacy protections. Those directives are now in the early stages of going into effect. Lawmakers have vowed to take up cyber legislation again this year, but in the meantime, a new report offers a framework for federal, state and local agencies to get ahead on cybersecurity.
SafeGov issued the report, titled “Measuring What Matters: Reducing Risk by Rethinking How We Evaluate Cybersecurity” in conjunction with the National Academy of Public Administration at an event March 26, 2013.
The report does not call for new cybersecurity legislation, but instead offers a road-map for transforming compliance procedures within the existing Federal Information Security Management Act (FISMA).
The governing agencies should focus more on implementing critical security controls & automated continuous monitoring, diagnostics and mitigation; estimating risk on continuous basis; and ensuring mechanisms required for testing and verifying that critical security controls are effective.